Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1524405
MD5:a58015bc46c585ae2b5c5f865221c456
SHA1:bce6af797b2e61a75381ea1a2d329281a0dd0dac
SHA256:ef56b64524f304085da2403cb4a67c8fe19c9d0389b3ae749f3fce8d8efb69ad
Tags:exeuser-Bitsight
Infos:

Detection

Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found API chain indicative of sandbox detection
Machine Learning detection for sample
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Enables debug privileges
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Uses taskkill to terminate processes

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 988 cmdline: "C:\Users\user\Desktop\file.exe" MD5: A58015BC46C585AE2B5C5F865221C456)
    • taskkill.exe (PID: 6940 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
      • conhost.exe (PID: 712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • chrome.exe (PID: 4416 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-infobars MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)
      • chrome.exe (PID: 1460 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2448 --field-trial-handle=2340,i,8720954307453147582,6285804185776578347,262144 /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)
      • chrome.exe (PID: 7892 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5416 --field-trial-handle=2340,i,8720954307453147582,6285804185776578347,262144 /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)
      • chrome.exe (PID: 7900 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5460 --field-trial-handle=2340,i,8720954307453147582,6285804185776578347,262144 /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
Machine Learning detection for sample
Source: file.exeJoe Sandbox ML: detected
Source: file.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: unknownHTTPS traffic detected: 173.222.162.64:443 -> 192.168.2.6:49761 version: TLS 1.0
Source: unknownHTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknownHTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.6:49725 version: TLS 1.2
Source: unknownHTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.6:49728 version: TLS 1.2
Source: unknownHTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:49734 version: TLS 1.2
Source: unknownHTTPS traffic detected: 4.245.163.56:443 -> 192.168.2.6:49756 version: TLS 1.2
Source: unknownHTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:49765 version: TLS 1.2
Source: unknownHTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:49769 version: TLS 1.2
Source: unknownHTTPS traffic detected: 4.245.163.56:443 -> 192.168.2.6:49770 version: TLS 1.2
Source: unknownHTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:49773 version: TLS 1.2
Source: unknownHTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:49779 version: TLS 1.2
Source: unknownHTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:49783 version: TLS 1.2
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005ADBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_005ADBBE
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0057C2A2 FindFirstFileExW,0_2_0057C2A2
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005B68EE FindFirstFileW,FindClose,0_2_005B68EE
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005B698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_005B698F
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005AD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_005AD076
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005AD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_005AD3A9
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005B9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_005B9642
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005B979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_005B979D
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005B9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_005B9B2B
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005B5C97 FindFirstFileW,FindNextFileW,FindClose,0_2_005B5C97
Source: Joe Sandbox ViewIP Address: 239.255.255.250 239.255.255.250
Source: Joe Sandbox ViewJA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox ViewJA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: unknownHTTPS traffic detected: 173.222.162.64:443 -> 192.168.2.6:49761 version: TLS 1.0
Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknownTCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknownTCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknownTCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknownTCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknownTCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknownTCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknownTCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknownTCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknownTCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknownTCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknownTCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknownTCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknownTCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknownTCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknownTCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknownTCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknownTCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknownTCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknownTCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknownTCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknownTCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknownTCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknownTCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknownTCP traffic detected without corresponding DNS query: 4.245.163.56
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005BCE44 InternetReadFile,SetEvent,GetLastError,SetEvent,0_2_005BCE44
Source: global trafficHTTP traffic detected: GET /account?=https://accounts.google.com/v3/signin/challenge/pwd HTTP/1.1Host: youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIk6HLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd HTTP/1.1Host: www.youtube.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIk6HLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global trafficHTTP traffic detected: GET /accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=2004920150&timestamp=1727888225573 HTTP/1.1Host: accounts.youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-full-version: "117.0.5938.134"sec-ch-ua-arch: "x86"sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-model: ""sec-ch-ua-bitness: "64"sec-ch-ua-wow64: ?0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIk6HLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: iframeReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.134"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIk6HLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc=Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=518=F1GWqozfbGLW9hfGllREsdBgmkpSSfJCQ-I3QDWS0-TqRU5oFuWLSQyP4StB1ojYRFxPzjZekoMvcqzdpLnNEZ8b43v91DeFuT0px3fb4O7dvQwa8weKo-y3XlRqWeQ0IJZSWmYMKV0RBRTFEzA9qsorb5UEZ9iVcoUucGzSgyX-EOxw0Gw
Source: global trafficHTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=tGtYDt73AH3hFv3&MD=2lGosxrH HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global trafficHTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=tGtYDt73AH3hFv3&MD=2lGosxrH HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: chromecache_92.6.drString found in binary or memory: _.fq(p)+"/familylink/privacy/notice/embedded?langCountry="+_.fq(p);break;case "PuZJUb":a+="https://www.youtube.com/t/terms?chromeless=1&hl="+_.fq(m);break;case "fxTQxb":a+="https://youtube.com/t/terms?gl="+_.fq(_.oq(c))+"&hl="+_.fq(d)+"&override_hl=1"+(f?"&linkless=1":"");break;case "prAmvd":a+="https://www.google.com/intl/"+_.fq(m)+"/chromebook/termsofservice.html?languageCode="+_.fq(d)+"&regionCode="+_.fq(c);break;case "NfnTze":a+="https://policies.google.com/privacy/google-partners"+(f?"/embedded": equals www.youtube.com (Youtube)
Source: global trafficDNS traffic detected: DNS query: youtube.com
Source: global trafficDNS traffic detected: DNS query: www.youtube.com
Source: global trafficDNS traffic detected: DNS query: www.google.com
Source: global trafficDNS traffic detected: DNS query: accounts.youtube.com
Source: global trafficDNS traffic detected: DNS query: play.google.com
Source: unknownHTTP traffic detected: POST /log?format=json&hasfast=true&authuser=0 HTTP/1.1Host: play.google.comConnection: keep-aliveContent-Length: 519sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"Content-Type: application/x-www-form-urlencoded;charset=UTF-8sec-ch-ua-full-version: "117.0.5938.134"sec-ch-ua-platform-version: "10.0.0"X-Goog-AuthUser: 0sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: */*Origin: https://accounts.google.comX-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIk6HLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc=Sec-Fetch-Site: same-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: chromecache_92.6.drString found in binary or memory: https://accounts.google.com
Source: chromecache_92.6.drString found in binary or memory: https://accounts.google.com/TOS?loc=
Source: file.exe, 00000000.00000002.2194865315.0000000000E98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/v3/signin/challenge/pwd
Source: chromecache_87.6.drString found in binary or memory: https://apis.google.com/js/api.js
Source: chromecache_92.6.drString found in binary or memory: https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessage
Source: chromecache_92.6.drString found in binary or memory: https://families.google.com/intl/
Source: chromecache_87.6.drString found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/drive_2020q4/v10/192px.svg
Source: chromecache_87.6.drString found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/gmail_2020q4/v10/web-48dp/logo_gmail_2020q4_color_2x_web_
Source: chromecache_87.6.drString found in binary or memory: https://fonts.gstatic.com/s/i/productlogos/maps/v7/192px.svg
Source: chromecache_92.6.drString found in binary or memory: https://g.co/recover
Source: chromecache_92.6.drString found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: chromecache_92.6.drString found in binary or memory: https://play.google.com/work/enroll?identifier=
Source: chromecache_92.6.drString found in binary or memory: https://play.google/intl/
Source: chromecache_92.6.drString found in binary or memory: https://policies.google.com/privacy
Source: chromecache_92.6.drString found in binary or memory: https://policies.google.com/privacy/additional
Source: chromecache_92.6.drString found in binary or memory: https://policies.google.com/privacy/google-partners
Source: chromecache_92.6.drString found in binary or memory: https://policies.google.com/technologies/cookies
Source: chromecache_92.6.drString found in binary or memory: https://policies.google.com/technologies/location-data
Source: chromecache_92.6.drString found in binary or memory: https://policies.google.com/terms
Source: chromecache_92.6.drString found in binary or memory: https://policies.google.com/terms/location
Source: chromecache_92.6.drString found in binary or memory: https://policies.google.com/terms/service-specific
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-email-pin.gif
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-password.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-sms-or-voice-pin.gif
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-sms-pin.gif
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/account-recovery-stop-go-landing-page_1x.png
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/animation/
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/ble_device.png
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/ble_pin.png
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync.png
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_1x.png
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_2x.png
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/contacts_backup_sync_darkmode_1x.png
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/continue_on_your_phone.png
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_phone_number_verification.png
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_silent_tap_yes_darkmode.gif
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_tap_yes.gif
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/device_prompt_tap_yes_darkmode.gif
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kid_success.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kid_success_darkmode.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_dark_v2.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_updated.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_updated_darkmode.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidfork_who_will_use_v2.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_not_ready.png
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_stick_around_1.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignin_stick_around_dark_1.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_account_1.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_account_darkmode_1.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_privacy_1.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_child_privacy_darkmode_1.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_created.png
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_double_device.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_double_device_darkmode.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_full_house.png
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_link_accounts_1.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_link_accounts_darkmode_1.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_app_decision.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_app_decision_darkmode.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_supervision_1.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_parent_supervision_darkmode_1.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_respect_others_1.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_respect_others_darkmode_1.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_single_device.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_single_device_darkmode.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/kidsignup_stop.png
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/personalization_reminders.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/phone_number_sign_in_2x.png
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/return_to_desktop.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/return_to_desktop_darkmode.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key.gif
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_ios_center.png
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_laptop.gif
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_nfc_discovered.gif
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_nfc_discovered_darkmode.gif
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/security_key_phone.gif
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_googleapp_ios.gif
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_googleapp_pulldown.gif
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/signin_tapyes.gif
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/smart_lock_2x.png
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/usb_key.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/web_and_app_activity.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/who_will_be_using_this_device.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/embedded/you_tube_history.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/feature_not_available.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/feature_not_available_dark.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/gmail_ios_authzen.gif
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/paaskey.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_challenge.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_challenge_darkmode.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_darkmode.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_cross_device.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_cross_device_darkmode.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_darkmode.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_error.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_error_darkmode.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_reauth.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_enrollment_reauth_darkmode.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_success.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkey_success_darkmode.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkeyerror.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/passkeyerror_darkmode.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/red_globe_dark.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/red_globe_light.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/screenlock.png
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_ipad.gif
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone.gif
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone_nfc.gif
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_iphone_usb.gif
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_key_phone.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/security_keys.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/success_checkmark_2.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/marc/success_checkmark_2_darkmode.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/ui/loading_spinner_gm.gif
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/ui/progress_spinner_color_20dp_4x.gif
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/accounts/ui/success-gm-default_2x.png
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/apps/signup/resources/custom-email-address.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/images/hpp/shield_security_checkup_green_2x_web_96dp.png
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/account_setup_chapter_dark_1.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/account_setup_chapter_v1.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/device_setup_chapter_dark_v1.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/device_setup_chapter_v1.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/parental_control_chapter_dark_v1.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/chaptering/parental_control_chapter_v1.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_accountslinked.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_accountslinked_dark.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_childneedshelp.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_childneedshelp_dark.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_nextstepsforparents.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/conversion/conversion_nextstepsforparents_dark.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_allset.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_allset_dark.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_apps_devices.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_apps_devices_darkmode.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_areyousurekid.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_areyousurekid_dark.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_birthdayemail.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_birthdayemail_dark.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_choose_apps.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_choose_apps_darkmode.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_confirmation.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_exploremore.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_exploremore_dark.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_intro.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_intro_darkmode.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacy_terms_a18.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacy_terms_a18_darkmode.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacyterms.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_privacyterms_dark.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_review_settings.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_review_settings_darkmode.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_safe_search.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_safe_search_darkmode.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_unchanged_a18.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_unchanged_a18_darkmode.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_update_a18.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_success_update_a18_darkmode.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_a18.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_a18_darkmode.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervision_choice_darkmode.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervisiongrad.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/graduation/graduation_supervisiongrad_dark.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/guardianlinking/linking_complete_0.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/guardianlinking/linking_complete_dark_0.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/ads_personalization.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/ads_personalization_darkmode.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/confirmation.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/confirmation_darkmode.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/eligibility_error.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/eligibility_error_darkmode.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/fork.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/fork_darkmode.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/intro.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/intro_darkmode.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/personal_results.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/personal_results_darkmode.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/safe_search.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/minormodeexit/safe_search_darkmode.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/check_notifications.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/check_notifications_dark.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_installing_family_link_2.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_installing_family_link_dark_2.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_location_sharing_2.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_location_sharing_dark_2.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_parental_controls_2.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_parental_controls_dark_2.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_school_time_2.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/kid_watch_set_up_school_time_dark_2.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/location_sharing_enabled_2.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/location_sharing_enabled_dark_3.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/parent_sign_in_prologue_1.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/parent_sign_in_prologue_dark_1.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_complete_1.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_complete_dark_1.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_contacts_2.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_contacts_dark_2.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_boy_1.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_boy_dark_1.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_girl_2.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/set_up_family_link_girl_dark_2.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/ulp_continue_without_gmail_dark_v2.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/onboarding/ulp_continue_without_gmail_v2.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/all_set.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/all_set_dark.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/are_you_sure_parent.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/are_you_sure_parent_dark.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/content_restriction.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/content_restriction_dark.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/error.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/error_dark.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/how_controls_work.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/how_controls_work_dark.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/next_steps.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/next_steps_dark.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/setup_controls.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/setup_controls_dark.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_parent.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_parent_dark.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_teen.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/teensupervisionreview/who_teen_dark.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/teentoadultgraduation/supervision_choice.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/teentoadultgraduation/supervision_choice_darkmode.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/kid_setup_parent_escalation.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/kid_setup_parent_escalation_dark.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/send_email_confirmation.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/send_email_confirmation_dark.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/success_sent_email.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/ulp_appblock/success_sent_email_dark.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/ulpupgrade/kidprofileupgrade_all_set.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/images/ulpupgrade/kidprofileupgrade_all_set_darkmode.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/all_set.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/all_set_dark.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/almost_done_kids_space_dark.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/almost_done_kids_space_v2.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_tablet_v2.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_tablet_v2_dark.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_v2.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/devices_connected_v2_dark.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/emailinstallfamilylink.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/emailinstallfamilylink_dark.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/familylinkinstalling.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/familylinkinstalling_dark.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/hand_over_device_dark_v2.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/hand_over_device_v2.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/linking_accounts_v2.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/linking_accounts_v2_dark.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/locationsetup.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/locationsetup_dark.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email_v2.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_email_v2_dark.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_v2.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/manage_parental_controls_v2_dark.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/open_family_link_v2.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/open_family_link_v2_dark.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/parents_help.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/parents_help_dark.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/set_up_kids_space.png
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/set_up_kids_space_dark.png
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setupcontrol.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setupcontrol_dark.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuplocation.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuplocation_dark.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuptimelimits.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/setuptimelimits_dark.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/supervision_ready_v2.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/supervision_ready_v2_dark.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/youtubeaccess.svg
Source: chromecache_87.6.drString found in binary or memory: https://ssl.gstatic.com/kids/onboarding/illustrations/youtubeaccess_dark.svg
Source: chromecache_92.6.drString found in binary or memory: https://support.google.com/accounts?hl=
Source: chromecache_92.6.drString found in binary or memory: https://support.google.com/accounts?p=new-si-ui
Source: chromecache_92.6.drString found in binary or memory: https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=3285072
Source: chromecache_87.6.drString found in binary or memory: https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=
Source: chromecache_92.6.drString found in binary or memory: https://www.google.com
Source: chromecache_92.6.drString found in binary or memory: https://www.google.com/intl/
Source: chromecache_87.6.drString found in binary or memory: https://www.gstatic.com/accounts/speedbump/authzen_optin_illustration.gif
Source: chromecache_87.6.drString found in binary or memory: https://www.gstatic.com/images/branding/product/2x/chrome_48dp.png
Source: chromecache_87.6.drString found in binary or memory: https://www.gstatic.com/images/branding/product/2x/googleg_48dp.png
Source: chromecache_87.6.drString found in binary or memory: https://www.gstatic.com/images/branding/product/2x/gsa_48dp.png
Source: chromecache_87.6.drString found in binary or memory: https://www.gstatic.com/images/branding/product/2x/play_prism_48dp.png
Source: chromecache_87.6.drString found in binary or memory: https://www.gstatic.com/images/branding/product/2x/youtube_48dp.png
Source: chromecache_92.6.drString found in binary or memory: https://www.gstatic.com/images/branding/productlogos/googleg/v6/36px.svg
Source: chromecache_92.6.drString found in binary or memory: https://www.youtube.com/t/terms?chromeless=1&hl=
Source: chromecache_92.6.drString found in binary or memory: https://youtube.com/t/terms?gl=
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49672 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49779 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49783
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49782
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49781
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49780
Source: unknownNetwork traffic detected: HTTP traffic on port 49766 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49781 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49776 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49779
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49776
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49774
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49773
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49772
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49770
Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49780 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49773 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49769
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49768
Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49767
Source: unknownNetwork traffic detected: HTTP traffic on port 49674 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49766
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
Source: unknownNetwork traffic detected: HTTP traffic on port 49783 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49764
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49770 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
Source: unknownNetwork traffic detected: HTTP traffic on port 49774 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
Source: unknownNetwork traffic detected: HTTP traffic on port 49782 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
Source: unknownHTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknownHTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.6:49725 version: TLS 1.2
Source: unknownHTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.6:49728 version: TLS 1.2
Source: unknownHTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:49734 version: TLS 1.2
Source: unknownHTTPS traffic detected: 4.245.163.56:443 -> 192.168.2.6:49756 version: TLS 1.2
Source: unknownHTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:49765 version: TLS 1.2
Source: unknownHTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:49769 version: TLS 1.2
Source: unknownHTTPS traffic detected: 4.245.163.56:443 -> 192.168.2.6:49770 version: TLS 1.2
Source: unknownHTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:49773 version: TLS 1.2
Source: unknownHTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:49779 version: TLS 1.2
Source: unknownHTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:49783 version: TLS 1.2
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005BEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_005BEAFF
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005BED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_005BED6A
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005BEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_005BEAFF
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005AAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,0_2_005AAA57
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005D9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_005D9576

System Summary

barindex
Binary is likely a compiled AutoIt script file
Source: file.exeString found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_98b2b08d-d
Source: file.exe, 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_fecb9b31-6
Source: file.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_e344a7e0-f
Source: file.exeString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_f1cf0a49-4
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005AD5EB: CreateFileW,DeviceIoControl,CloseHandle,0_2_005AD5EB
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005A1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_005A1201
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005AE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_005AE8F6
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0054CAF00_2_0054CAF0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0054BF400_2_0054BF40
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005B20460_2_005B2046
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005480600_2_00548060
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005A82980_2_005A8298
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0057E4FF0_2_0057E4FF
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0057676B0_2_0057676B
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005D48730_2_005D4873
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0056CAA00_2_0056CAA0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0055CC390_2_0055CC39
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00576DD90_2_00576DD9
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0055B1190_2_0055B119
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005491C00_2_005491C0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005613940_2_00561394
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0056781B0_2_0056781B
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0055997D0_2_0055997D
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005479200_2_00547920
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00567A4A0_2_00567A4A
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00567CA70_2_00567CA7
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005CBE440_2_005CBE44
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00579EEE0_2_00579EEE
Source: C:\Users\user\Desktop\file.exeCode function: String function: 00549CB3 appears 31 times
Source: C:\Users\user\Desktop\file.exeCode function: String function: 00560A30 appears 46 times
Source: C:\Users\user\Desktop\file.exeCode function: String function: 0055F9F2 appears 40 times
Source: file.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: classification engineClassification label: mal56.evad.winEXE@40/30@12/9
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005B37B5 GetLastError,FormatMessageW,0_2_005B37B5
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005A10BF AdjustTokenPrivileges,CloseHandle,0_2_005A10BF
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005A16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_005A16C3
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005B51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_005B51CD
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005CA67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_005CA67C
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005B648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,0_2_005B648E
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005442A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_005442A2
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:712:120:WilError_03
Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-infobars
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2448 --field-trial-handle=2340,i,8720954307453147582,6285804185776578347,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5416 --field-trial-handle=2340,i,8720954307453147582,6285804185776578347,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5460 --field-trial-handle=2340,i,8720954307453147582,6285804185776578347,262144 /prefetch:8
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /TJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-infobarsJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2448 --field-trial-handle=2340,i,8720954307453147582,6285804185776578347,262144 /prefetch:8Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5416 --field-trial-handle=2340,i,8720954307453147582,6285804185776578347,262144 /prefetch:8Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5460 --field-trial-handle=2340,i,8720954307453147582,6285804185776578347,262144 /prefetch:8Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: wsock32.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dllJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_005442DE
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00560A76 push ecx; ret 0_2_00560A89
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0055F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_0055F98E
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005D1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_005D1C41
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Found API chain indicative of sandbox detection
Source: C:\Users\user\Desktop\file.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_0-96531
Source: C:\Users\user\Desktop\file.exeAPI coverage: 3.9 %
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005ADBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_005ADBBE
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0057C2A2 FindFirstFileExW,0_2_0057C2A2
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005B68EE FindFirstFileW,FindClose,0_2_005B68EE
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005B698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_005B698F
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005AD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_005AD076
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005AD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_005AD3A9
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005B9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_005B9642
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005B979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_005B979D
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005B9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_005B9B2B
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005B5C97 FindFirstFileW,FindNextFileW,FindClose,0_2_005B5C97
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_005442DE
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005BEAA2 BlockInput,0_2_005BEAA2
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00572622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00572622
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_005442DE
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00564CE8 mov eax, dword ptr fs:[00000030h]0_2_00564CE8
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005A0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_005A0B62
Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00572622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00572622
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0056083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0056083F
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005609D5 SetUnhandledExceptionFilter,0_2_005609D5
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00560C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00560C21
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005A1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_005A1201
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00582BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00582BA5
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0055F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_0055F98E
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005C22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,0_2_005C22DA
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /TJump to behavior
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005A0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_005A0B62
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005A1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_005A1663
Source: file.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exeBinary or memory string: Shell_TrayWnd
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00560698 cpuid 0_2_00560698
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005B8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,0_2_005B8195
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0059D27A GetUserNameW,0_2_0059D27A
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0057B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,0_2_0057B952
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_005442DE
Source: file.exeBinary or memory string: WIN_81
Source: file.exeBinary or memory string: WIN_XP
Source: file.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exeBinary or memory string: WIN_XPe
Source: file.exeBinary or memory string: WIN_VISTA
Source: file.exeBinary or memory string: WIN_7
Source: file.exeBinary or memory string: WIN_8
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005C1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_005C1204
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005C1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_005C1806

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire Infrastructure2
Valid Accounts		1
Windows Management Instrumentation		1
DLL Side-Loading		1
Exploitation for Privilege Escalation		2
Disable or Modify Tools		21
Input Capture		2
System Time Discovery		Remote Services1
Archive Collected Data		2
Ingress Tool Transfer		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts1
Native API		2
Valid Accounts		1
DLL Side-Loading		1
Deobfuscate/Decode Files or Information		LSASS Memory1
Account Discovery		Remote Desktop Protocol21
Input Capture		11
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
Valid Accounts		2
Obfuscated Files or Information		Security Account Manager1
File and Directory Discovery		SMB/Windows Admin Shares3
Clipboard Data		3
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
Access Token Manipulation		1
DLL Side-Loading		NTDS16
System Information Discovery		Distributed Component Object ModelInput Capture4
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script2
Process Injection		2
Valid Accounts		LSA Secrets12
Security Software Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Virtualization/Sandbox Evasion		Cached Domain Credentials1
Virtualization/Sandbox Evasion		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
Access Token Manipulation		DCSync2
Process Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
Process Injection		Proc Filesystem1
Application Window Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
System Owner/User Discovery		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1524405 Sample: file.exe Startdate: 02/10/2024 Architecture: WINDOWS Score: 56 36 Binary is likely a compiled AutoIt script file 2->36 38 Machine Learning detection for sample 2->38 40 AI detected suspicious sample 2->40 7 file.exe 2->7         started        process3 signatures4 42 Binary is likely a compiled AutoIt script file 7->42 44 Found API chain indicative of sandbox detection 7->44 10 chrome.exe 1 7->10         started        13 taskkill.exe 1 7->13         started        process5 dnsIp6 24 192.168.2.23 unknown unknown 10->24 26 192.168.2.6, 443, 49491, 49704 unknown unknown 10->26 28 239.255.255.250 unknown Reserved 10->28 15 chrome.exe 10->15         started        18 chrome.exe 10->18         started        20 chrome.exe 6 10->20         started        22 conhost.exe 13->22         started        process7 dnsIp8 30 play.google.com 142.250.181.238, 443, 49746, 49748 GOOGLEUS United States 15->30 32 www.google.com 142.250.184.228, 443, 49722, 49772 GOOGLEUS United States 15->32 34 6 other IPs or domains 15->34

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
file.exe11%ReversingLabs
file.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://play.google/intl/0%URL Reputationsafe
https://families.google.com/intl/0%URL Reputationsafe
https://policies.google.com/technologies/location-data0%URL Reputationsafe
https://apis.google.com/js/api.js0%URL Reputationsafe
https://policies.google.com/privacy/google-partners0%URL Reputationsafe
https://policies.google.com/terms/service-specific0%URL Reputationsafe
https://g.co/recover0%URL Reputationsafe
https://policies.google.com/privacy/additional0%URL Reputationsafe
https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=32850720%URL Reputationsafe
https://policies.google.com/technologies/cookies0%URL Reputationsafe
https://policies.google.com/terms0%URL Reputationsafe
https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=0%URL Reputationsafe
https://support.google.com/accounts?hl=0%URL Reputationsafe
https://policies.google.com/terms/location0%URL Reputationsafe
https://policies.google.com/privacy0%URL Reputationsafe
https://support.google.com/accounts?p=new-si-ui0%URL Reputationsafe
https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessage0%URL Reputationsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
youtube-ui.l.google.com
172.217.16.142
truefalse
    		unknown
    www3.l.google.com
    		142.250.185.174
    		truefalse
      		unknown
      play.google.com
      		142.250.181.238
      		truefalse
        		unknown
        www.google.com
        		142.250.184.228
        		truefalse
          		unknown
          youtube.com
          		142.250.185.206
          		truefalse
            		unknown
            accounts.youtube.com
            		unknown
            		unknownfalse
              		unknown
              www.youtube.com
              		unknown
              		unknownfalse
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                https://play.google.com/log?format=json&hasfast=true&authuser=0false
                  		unknown
                  https://www.google.com/favicon.icofalse
                    		unknown
                    https://play.google.com/log?hasfast=true&authuser=0&format=jsonfalse
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://play.google/intl/chromecache_92.6.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://families.google.com/intl/chromecache_92.6.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://youtube.com/t/terms?gl=chromecache_92.6.drfalse
                        		unknown
                        https://policies.google.com/technologies/location-datachromecache_92.6.drfalse
                        • URL Reputation: safe
                        		unknown
                        https://www.google.com/intl/chromecache_92.6.drfalse
                          		unknown
                          https://apis.google.com/js/api.jschromecache_87.6.drfalse
                          • URL Reputation: safe
                          		unknown
                          https://policies.google.com/privacy/google-partnerschromecache_92.6.drfalse
                          • URL Reputation: safe
                          		unknown
                          https://play.google.com/work/enroll?identifier=chromecache_92.6.drfalse
                            		unknown
                            https://policies.google.com/terms/service-specificchromecache_92.6.drfalse
                            • URL Reputation: safe
                            		unknown
                            https://g.co/recoverchromecache_92.6.drfalse
                            • URL Reputation: safe
                            		unknown
                            https://policies.google.com/privacy/additionalchromecache_92.6.drfalse
                            • URL Reputation: safe
                            		unknown
                            https://support.google.com/websearch/answer/4358949?hl=ko&ref_topic=3285072chromecache_92.6.drfalse
                            • URL Reputation: safe
                            		unknown
                            https://policies.google.com/technologies/cookieschromecache_92.6.drfalse
                            • URL Reputation: safe
                            		unknown
                            https://policies.google.com/termschromecache_92.6.drfalse
                            • URL Reputation: safe
                            		unknown
                            https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=chromecache_87.6.drfalse
                            • URL Reputation: safe
                            		unknown
                            https://www.google.comchromecache_92.6.drfalse
                              		unknown
                              https://play.google.com/log?format=json&hasfast=truechromecache_92.6.drfalse
                                		unknown
                                https://www.youtube.com/t/terms?chromeless=1&hl=chromecache_92.6.drfalse
                                  		unknown
                                  https://support.google.com/accounts?hl=chromecache_92.6.drfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://policies.google.com/terms/locationchromecache_92.6.drfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://policies.google.com/privacychromecache_92.6.drfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://support.google.com/accounts?p=new-si-uichromecache_92.6.drfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://apis.google.com/js/rpc:shindig_random.js?onload=credentialservice.postMessagechromecache_92.6.drfalse
                                  • URL Reputation: safe
                                  		unknown

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  142.250.185.206
                                  		youtube.comUnited States
                                  		15169GOOGLEUSfalse
                                  142.250.181.238
                                  		play.google.comUnited States
                                  		15169GOOGLEUSfalse
                                  239.255.255.250
                                  		unknownReserved
                                  		unknownunknownfalse
                                  142.250.185.174
                                  		www3.l.google.comUnited States
                                  		15169GOOGLEUSfalse
                                  142.250.185.142
                                  		unknownUnited States
                                  		15169GOOGLEUSfalse
                                  142.250.184.228
                                  		www.google.comUnited States
                                  		15169GOOGLEUSfalse
                                  172.217.16.142
                                  		youtube-ui.l.google.comUnited States
                                  		15169GOOGLEUSfalse

                                  Private

                                  IP
                                  192.168.2.6
                                  192.168.2.23

                                  General Information

                                  Joe Sandbox version:41.0.0 Charoite
                                  Analysis ID:1524405
                                  Start date and time:2024-10-02 18:56:01 +02:00
                                  Joe Sandbox product:CloudBasic
                                  Overall analysis duration:0h 5m 1s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                  Number of analysed new started processes analysed:13
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Sample name:file.exe
                                  Detection:MAL
                                  Classification:mal56.evad.winEXE@40/30@12/9
                                  EGA Information:
                                  • Successful, ratio: 100%
                                  HCA Information:
                                  • Successful, ratio: 95%
                                  • Number of executed functions: 47
                                  • Number of non-executed functions: 307
                                  Cookbook Comments:
                                  • Found application associated with file extension: .exe

                                  Warnings

                                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                  • Excluded IPs from analysis (whitelisted): 142.250.185.131, 216.58.206.78, 64.233.167.84, 34.104.35.123, 142.250.185.99, 142.250.181.234, 142.250.74.202, 172.217.16.138, 142.250.186.170, 142.250.185.234, 142.250.186.74, 142.250.186.138, 142.250.185.202, 216.58.206.74, 142.250.186.42, 142.250.186.106, 142.250.184.234, 172.217.16.202, 172.217.18.10, 216.58.206.42, 142.250.184.202, 142.250.185.195, 142.250.185.106, 142.250.185.138, 142.250.185.170, 172.217.18.106, 142.250.185.74, 192.229.221.95, 2.19.126.137, 142.250.74.195, 74.125.71.84, 199.232.210.172, 142.250.186.174
                                  • Excluded domains from analysis (whitelisted): clients1.google.com, client.wns.windows.com, fs.microsoft.com, accounts.google.com, content-autofill.googleapis.com, slscr.update.microsoft.com, fonts.gstatic.com, ctldl.windowsupdate.com, clientservices.googleapis.com, fe3cr.delivery.mp.microsoft.com, clients2.google.com, ocsp.digicert.com, edgedl.me.gvt1.com, update.googleapis.com, clients.l.google.com, www.gstatic.com, optimizationguide-pa.googleapis.com
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                  • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                  • VT rate limit hit for: file.exe

                                  Simulations

                                  Behavior and APIs

                                  No simulations

                                  Joe Sandbox View / Context

                                  IPs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  239.255.255.250file.exeGet hashmaliciousCredential FlusherBrowse
                                    file.exeGet hashmaliciousCredential FlusherBrowse
                                      file.exeGet hashmaliciousCredential FlusherBrowse
                                        file.exeGet hashmaliciousCredential FlusherBrowse
                                          27987136e29b3032ad40982c8b7c2e168112c9601e08da806119dcba615524b5.htmlGet hashmaliciousUnknownBrowse
                                            file.exeGet hashmaliciousCredential FlusherBrowse
                                              file.exeGet hashmaliciousCredential FlusherBrowse
                                                file.exeGet hashmaliciousCredential FlusherBrowse
                                                  file.exeGet hashmaliciousCredential FlusherBrowse
                                                    file.exeGet hashmaliciousCredential FlusherBrowse

                                                      Domains

                                                      No context

                                                      ASNs

                                                      No context

                                                      JA3 Fingerprints

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      1138de370e523e824bbca92d049a3777file.exeGet hashmaliciousCredential FlusherBrowse
                                                      • 173.222.162.64
                                                      file.exeGet hashmaliciousCredential FlusherBrowse
                                                      • 173.222.162.64
                                                      file.exeGet hashmaliciousCredential FlusherBrowse
                                                      • 173.222.162.64
                                                      file.exeGet hashmaliciousCredential FlusherBrowse
                                                      • 173.222.162.64
                                                      file.exeGet hashmaliciousCredential FlusherBrowse
                                                      • 173.222.162.64
                                                      file.exeGet hashmaliciousCredential FlusherBrowse
                                                      • 173.222.162.64
                                                      file.exeGet hashmaliciousUnknownBrowse
                                                      • 173.222.162.64
                                                      file.exeGet hashmaliciousCredential FlusherBrowse
                                                      • 173.222.162.64
                                                      test.exeGet hashmaliciousBabadedaBrowse
                                                      • 173.222.162.64
                                                      exit.exeGet hashmaliciousBabadedaBrowse
                                                      • 173.222.162.64
                                                      28a2c9bd18a11de089ef85a160da29e4file.exeGet hashmaliciousCredential FlusherBrowse
                                                      • 4.245.163.56
                                                      • 184.28.90.27
                                                      file.exeGet hashmaliciousCredential FlusherBrowse
                                                      • 4.245.163.56
                                                      • 184.28.90.27
                                                      file.exeGet hashmaliciousCredential FlusherBrowse
                                                      • 4.245.163.56
                                                      • 184.28.90.27
                                                      file.exeGet hashmaliciousCredential FlusherBrowse
                                                      • 4.245.163.56
                                                      • 184.28.90.27
                                                      27987136e29b3032ad40982c8b7c2e168112c9601e08da806119dcba615524b5.htmlGet hashmaliciousUnknownBrowse
                                                      • 4.245.163.56
                                                      • 184.28.90.27
                                                      file.exeGet hashmaliciousCredential FlusherBrowse
                                                      • 4.245.163.56
                                                      • 184.28.90.27
                                                      file.exeGet hashmaliciousCredential FlusherBrowse
                                                      • 4.245.163.56
                                                      • 184.28.90.27
                                                      New_Statement-8723107.jsGet hashmaliciousUnknownBrowse
                                                      • 4.245.163.56
                                                      • 184.28.90.27
                                                      file.exeGet hashmaliciousCredential FlusherBrowse
                                                      • 4.245.163.56
                                                      • 184.28.90.27
                                                      file.exeGet hashmaliciousCredential FlusherBrowse
                                                      • 4.245.163.56
                                                      • 184.28.90.27
                                                      3b5074b1b5d032e5620f69f9f700ff0efile.exeGet hashmaliciousCredential FlusherBrowse
                                                      • 40.115.3.253
                                                      PO-A1702108.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                      • 40.115.3.253
                                                      file.exeGet hashmaliciousCredential FlusherBrowse
                                                      • 40.115.3.253
                                                      QUOTATION_OCTQTRA071244PDF.scr.exeGet hashmaliciousUnknownBrowse
                                                      • 40.115.3.253
                                                      QUOTATION_OCTQTRA071244PDF.scr.exeGet hashmaliciousUnknownBrowse
                                                      • 40.115.3.253
                                                      file.exeGet hashmaliciousCredential FlusherBrowse
                                                      • 40.115.3.253
                                                      inquiry_qoutation_Europe_Hydraulic Partner, LLC_7638628279_uue.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 40.115.3.253
                                                      doc_20241002_383767466374663543.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                      • 40.115.3.253
                                                      All#att098764576.exeGet hashmaliciousSnake KeyloggerBrowse
                                                      • 40.115.3.253
                                                      file.exeGet hashmaliciousCredential FlusherBrowse
                                                      • 40.115.3.253

                                                      Dropped Files

                                                      No context

                                                      Created / dropped Files

                                                      Chrome Cache Entry: 100

                                                      Download File
                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                      File Type:ASCII text, with very long lines (570)
                                                      Category:downloaded
                                                      Size (bytes):3467
                                                      Entropy (8bit):5.514745431912774
                                                      Encrypted:false
                                                      SSDEEP:96:ozbld2fNUmeqJNizhNtt1W8t//loyIpXmdVE2w:onSKE8PWe/Cy4X3j
                                                      MD5:8DEF399E8355ABC23E64505281005099
                                                      SHA1:24FF74C3AEFD7696D84FF148465DF4B1B60B1696
                                                      SHA-256:F128D7218E1286B05DF11310AD3C8F4CF781402698E45448850D2A3A22F5F185
                                                      SHA-512:33721DD47658D8E12ADF6BD9E9316EB89F5B6297927F7FD60F954E04B829DCBF0E1AE6DDD9A3401F45E0011AE4B1397B960C218238A3D0F633A2173D8E604082
                                                      Malicious:false
                                                      Reputation:moderate, very likely benign file
                                                      URL:"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBimEQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,iAskyc,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,wg1P6b,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziXSP,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlFwPDENALwio0taw23fxitsQJhhiA/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=Wt6vjf,hhhU8,FCpbqb,WhJNk"
                                                      Preview:"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi||{};(function(_){var window=this;.try{._.k("Wt6vjf");.var cya=function(){var a=_.He();return _.Lj(a,1)},Yt=function(a){this.Da=_.t(a,0,Yt.messageId)};_.J(Yt,_.w);Yt.prototype.Ha=function(){return _.Dj(this,1)};Yt.prototype.Va=function(a){return _.Vj(this,1,a)};Yt.messageId="f.bo";var Zt=function(){_.hm.call(this)};_.J(Zt,_.hm);Zt.prototype.xd=function(){this.CT=!1;dya(this);_.hm.prototype.xd.call(this)};Zt.prototype.aa=function(){eya(this);if(this.wC)return fya(this),!1;if(!this.KV)return $t(this),!0;this.dispatchEvent("p");if(!this.zP)return $t(this),!0;this.wM?(this.dispatchEvent("r"),$t(this)):fya(this);return!1};.var gya=function(a){var b=new _.ap(a.W4);a.qQ!=null&&_.Jn(b,"authuser",a.qQ);return b},fya=function(a){a.wC=!0;var b=gya(a),c="rt=r&f_uid="+_.pk(a.zP);_.cn(b,(0,_.bg)(a.ea,a),"POST",c)};.Zt.prototype.ea=function(a){a=a.target;eya(this);if(_.fn(a)){this.cK=0;if(this.wM)this.wC=!1,this.dispatchEvent("r"

                                                      Chrome Cache Entry: 86

                                                      Download File
                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                      File Type:ASCII text, with very long lines (522)
                                                      Category:downloaded
                                                      Size (bytes):5050
                                                      Entropy (8bit):5.289052544075544
                                                      Encrypted:false
                                                      SSDEEP:96:o4We0hP7OBFXYvB1sig3Fd8HkaXzLmUrv8Vh1WJlLQXT2v2gqw:655758Fd8HkaPZ0GmAD
                                                      MD5:26E26FD11772DFF5C7004BEA334289CC
                                                      SHA1:638DAAF541BDE31E95AEE4F8ADA677434D7051DB
                                                      SHA-256:ADFE3E4960982F5EF4C043052A9990D8683C5FC2B590E817B6B1A5774DDE2CE3
                                                      SHA-512:C31929EB6D1C60D6A84A2574FF60490394A6D6F9B354972F3328952F570D80B3F2AEC916B0E1B66DDB1AC056EB75BFAC477E7AF631D0AD1810EDBAF025465D66
                                                      Malicious:false
                                                      Reputation:moderate, very likely benign file
                                                      URL:"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBimEQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,iAskyc,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziXSP,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlFwPDENALwio0taw23fxitsQJhhiA/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=wg1P6b"
                                                      Preview:"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi||{};(function(_){var window=this;.try{._.jNa=_.y("wg1P6b",[_.TA,_.Cn,_.Kn]);._.k("wg1P6b");.var Z5a;Z5a=_.mh(["aria-"]);._.uJ=function(a){_.X.call(this,a.Fa);this.Ka=this.wa=this.aa=this.viewportElement=this.Na=null;this.Hc=a.Ea.ff;this.ab=a.Ea.focus;this.Fc=a.Ea.Fc;this.ea=this.Pi();a=-1*parseInt(_.Co(this.Pi().el(),"marginTop")||"0",10);var b=parseInt(_.Co(this.Pi().el(),"marginBottom")||"0",10);this.Ta={top:a,right:0,bottom:b,left:0};a=_.cf(this.getData("isMenuDynamic"),!1);b=_.cf(this.getData("isMenuHoisted"),!1);this.Ga=a?1:b?2:0;this.ka=!1;this.Ca=1;this.Ga!==1&&(this.aa=this.Sa("U0exHf").children().Wc(0),_.ku(this,.$5a(this,this.aa.el())));_.kF(this.oa())&&(a=this.oa().el(),b=this.we.bind(this),a.__soy_skip_handler=b)};_.J(_.uJ,_.X);_.uJ.Ba=function(){return{Ea:{ff:_.ZE,focus:_.KE,Fc:_.ru}}};_.uJ.prototype.xF=function(a){var b=a.source;this.Na=b;var c;((c=a.data)==null?0:c.fz)?(a=a.data.fz,this.Ca=a==="MOUS

                                                      Chrome Cache Entry: 87

                                                      Download File
                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                      File Type:ASCII text, with very long lines (553)
                                                      Category:downloaded
                                                      Size (bytes):743936
                                                      Entropy (8bit):5.791086737110097
                                                      Encrypted:false
                                                      SSDEEP:6144:HVXWBQkPdzg5pTX1ROv/duPzd8C3s891/N:gfd8j91/N
                                                      MD5:F9F15F21696A09965757714D00305D14
                                                      SHA1:C7292420A092BF5C277A68B6E42971190AD63C82
                                                      SHA-256:EE66751937B1179DF56A5A789EB36D98B6A53116EABFEC2B35F93894EF71966E
                                                      SHA-512:751EB98B9E8ED75FC72569C6887C348847E0A1D7889A7C4254D96AA54D30C3A57CE1F2F42797A55996EBD6AAB58026EC623BCD9AEEB2672857B2081141021B78
                                                      Malicious:false
                                                      Reputation:low
                                                      URL:"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/am=xIFgKBimEQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/excm=_b,_tp,identifierview/ed=1/dg=0/wt=2/ujg=1/rs=AOaEmlFJRy1OqtUmLpt_G_DWG-oJaagYwQ/m=_b,_tp"
                                                      Preview:"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi||{};(function(_){var window=this;.try{._._F_toggles_initialize=function(a){(typeof globalThis!=="undefined"?globalThis:typeof self!=="undefined"?self:this)._F_toggles=a||[]};(0,_._F_toggles_initialize)([0x286081c4, 0x20469860, 0x39e13c40, 0x14501e80, 0xe420, 0x0, 0x1a000000, 0x1d000003, 0xc, ]);./*.. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0.*/./*.. Copyright Google LLC. SPDX-License-Identifier: Apache-2.0.*/./*.. Copyright 2024 Google, Inc. SPDX-License-Identifier: MIT.*/./*. SPDX-License-Identifier: Apache-2.0.*/./*. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0.*/.var baa,daa,Ma,Sa,gaa,iaa,jb,qaa,waa,Caa,Haa,Kaa,Jb,Laa,Ob,Qb,Rb,Maa,Naa,Sb,Oaa,Paa,Qaa,Yb,Vaa,Xaa,ec,fc,gc,bba,cba,gba,jba,lba,mba,qba,tba,nba,sba,rba,pba,oba,uba,yba,Cba,Dba,Aba,Hc,Ic,Gba,Iba,Mba,Nba,Oba,Pba,Lba,Qba,Sba,dd,Uba,Vba,Xba,Zba,Yba,aca,bca,cca,dca,fca,eca,hca,ica,jca,kca,nca,

                                                      Chrome Cache Entry: 88

                                                      Download File
                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                      File Type:ASCII text, with very long lines (533)
                                                      Category:downloaded
                                                      Size (bytes):9210
                                                      Entropy (8bit):5.404371326611379
                                                      Encrypted:false
                                                      SSDEEP:192:EEFZpeip4HzZlY0If0Ma23jcUcrhCx6VD1TYPi8:Es/p4jgjUhtD1TY68
                                                      MD5:21E893B65627B397E22619A9F5BB9662
                                                      SHA1:F561B0F66211C1E7B22F94B4935C312AB7087E85
                                                      SHA-256:FFA9B8BC8EF2CDFF5EB4BA1A0BA1710A253A5B42535E2A369D5026967DCF4673
                                                      SHA-512:3DE3CD6A4E9B06AB3EB324E90A40B5F2AEEA8D7D6A2651C310E993CF79EEB5AC6E2E33C587F46B2DD20CC862354FD1A61AEBB9B990E6805F6629404BA285F8FA
                                                      Malicious:false
                                                      URL:"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBimEQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=AvtSve,CMcBD,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PrPYRd,Rkm0ef,SCuOPb,STuCOe,SpsfSb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,ZakeSe,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,byfTOb,cYShmd,eVCnO,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,qPfo0c,qmdT9,rCcCxc,siKnQd,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlFwPDENALwio0taw23fxitsQJhhiA/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=ltDFwf,SD8Jgb,rmumx,E87wgc,qPYxq,Tbb4sb,pxq3x,f8Gu1e,soHxf,YgOFye,yRXbo,bTi8wc,ywOR5c,PHUIyb"
                                                      Preview:"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi||{};(function(_){var window=this;.try{._.qNa=_.y("SD8Jgb",[]);._.GX=function(a,b){if(typeof b==="string")a.Lc(b);else if(b instanceof _.Fp&&b.ia&&b.ia===_.A)b=_.Ya(b.Lw()),a.empty().append(b);else if(b instanceof _.Ua)b=_.Ya(b),a.empty().append(b);else if(b instanceof Node)a.empty().append(b);else throw Error("Vf");};_.HX=function(a){var b=_.Io(a,"[jsslot]");if(b.size()>0)return b;b=new _.Go([_.Kk("span")]);_.Jo(b,"jsslot","");a.empty().append(b);return b};_.NLb=function(a){return a===null||typeof a==="string"&&_.Hi(a)};._.k("SD8Jgb");._.MX=function(a){_.X.call(this,a.Fa);this.Ua=a.controller.Ua;this.od=a.controllers.od[0]||null;this.header=a.controller.header;this.nav=a.controller.nav;var b;(b=this.oa().find("button:not([type])").el())==null||b.setAttribute("type","button")};_.J(_.MX,_.X);_.MX.Ba=function(){return{controller:{Ua:{jsname:"n7vHCb",ctor:_.mv},header:{jsname:"tJHJj",ctor:_.mv},nav:{jsname:"DH6Rkf",ct

                                                      Chrome Cache Entry: 89

                                                      Download File
                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                      File Type:MS Windows icon resource - 2 icons, 16x16, 32 bits/pixel, 32x32, 32 bits/pixel
                                                      Category:downloaded
                                                      Size (bytes):5430
                                                      Entropy (8bit):3.6534652184263736
                                                      Encrypted:false
                                                      SSDEEP:48:wIJct3xIAxG/7nvWDtZcdYLtX7B6QXL3aqG8Q:wIJct+A47v+rcqlBPG9B
                                                      MD5:F3418A443E7D841097C714D69EC4BCB8
                                                      SHA1:49263695F6B0CDD72F45CF1B775E660FDC36C606
                                                      SHA-256:6DA5620880159634213E197FAFCA1DDE0272153BE3E4590818533FAB8D040770
                                                      SHA-512:82D017C4B7EC8E0C46E8B75DA0CA6A52FD8BCE7FCF4E556CBDF16B49FC81BE9953FE7E25A05F63ECD41C7272E8BB0A9FD9AEDF0AC06CB6032330B096B3702563
                                                      Malicious:false
                                                      URL:https://www.google.com/favicon.ico
                                                      Preview:............ .h...&... .... .........(....... ..... ............................................0...................................................................................................................................v.].X.:.X.:.r.Y........................................q.X.S.4.S.4.S.4.S.4.S.4.S.4...X....................0........q.W.S.4.X.:.................J...A...g.........................K.H.V.8..........................F..B.....................,.......................................B..............................................B..B..B..B..B...u..........................................B..B..B..B..B...{.................5.......k...........................................................7R..8F.................................................2........Vb..5C..;I..................R^.....................0................Xc..5C..5C..5C..5C..5C..5C..lv..........................................]i..<J..:G..Zf....................................................

                                                      Chrome Cache Entry: 90

                                                      Download File
                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                      File Type:ASCII text, with very long lines (395)
                                                      Category:downloaded
                                                      Size (bytes):1608
                                                      Entropy (8bit):5.257113147606035
                                                      Encrypted:false
                                                      SSDEEP:48:o72ZrNZ4yNAbU+15fMxIdf5WENoBCbw7DbG2bEJrw:oyNNAY+1i4HoBNG2Ilw
                                                      MD5:F06E2DC5CC446B39F878B5F8E4D78418
                                                      SHA1:9F1F34FDD8F8DAB942A9B95D9F720587B6F6AD48
                                                      SHA-256:118E4D2FE7CEF205F9AFC87636554C6D8220882B158333EE3D1990282D158B8F
                                                      SHA-512:893C4F883CD1C88C6AAF5A6E7F232D62823A53E1FFDE5C1C52BB066D75781DD041F4D281CDBF18070D921CE862652D8863E2B9D5E0190CFA4128890D62C44168
                                                      Malicious:false
                                                      URL:"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBimEQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlFwPDENALwio0taw23fxitsQJhhiA/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=w9hDv,ZDZcre,A7fCU"
                                                      Preview:"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi||{};(function(_){var window=this;.try{._.k("w9hDv");._.vg(_.Hla);_.eA=function(a){_.W.call(this,a.Fa);this.aa=a.Xa.cache};_.J(_.eA,_.W);_.eA.Ba=function(){return{Xa:{cache:_.dt}}};_.eA.prototype.execute=function(a){_.Bb(a,function(b){var c;_.$e(b)&&(c=b.eb.kc(b.kb));c&&this.aa.xG(c)},this);return{}};_.nu(_.Nla,_.eA);._.l();._.k("ZDZcre");.var fH=function(a){_.W.call(this,a.Fa);this.Wl=a.Ea.Wl;this.d4=a.Ea.metadata;this.aa=a.Ea.ot};_.J(fH,_.W);fH.Ba=function(){return{Ea:{Wl:_.KG,metadata:_.VZa,ot:_.HG}}};fH.prototype.execute=function(a){var b=this;a=this.aa.create(a);return _.Bb(a,function(c){var d=b.d4.getType(c.Od())===2?b.Wl.Rb(c):b.Wl.fetch(c);return _.yl(c,_.LG)?d.then(function(e){return _.Dd(e)}):d},this)};_.nu(_.Sla,fH);._.l();._.k("K5nYTd");._.UZa=new _.pf(_.Ola);._.l();._.k("sP4Vbe");.._.l();._.k("kMFpHd");.._.l();._.k("A7fCU");.var NG=function(a){_.W.call(this,a.Fa);this.aa=a.Ea.tQ};_.J(NG,_.W);NG.Ba=func

                                                      Chrome Cache Entry: 91

                                                      Download File
                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                      File Type:ASCII text, with very long lines (2907)
                                                      Category:downloaded
                                                      Size (bytes):22833
                                                      Entropy (8bit):5.425034548615223
                                                      Encrypted:false
                                                      SSDEEP:384:7lFo6ZEdpgtmyiPixV9OX9gMBpHkHnfst9lZulagGcwYHiRFjJzN7:77o6ZviPixV8xpEHn89l4IgGcwYCRtb7
                                                      MD5:749B18538FE32BFE0815D75F899F5B21
                                                      SHA1:AF95A019211AF69F752A43CAA54A83C2AFD41D28
                                                      SHA-256:116B2687C1D5E00DB56A79894AB0C12D4E2E000B9379B7E7AD751B84DF611F3F
                                                      SHA-512:E4B6F4556AA0FD9979BB52681508F5E26FFB256473803F74F7F5C8D93FA3636D7D0A5835618FBC6123022805CE0D9616A7451A0F302C665E28A6090B5D588505
                                                      Malicious:false
                                                      URL:"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBimEQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,Rkm0ef,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlFwPDENALwio0taw23fxitsQJhhiA/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=RqjULd"
                                                      Preview:"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi||{};(function(_){var window=this;.try{._.uu.prototype.da=_.ca(40,function(){return _.rj(this,3)});_.$y=function(a,b){this.key=a;this.defaultValue=!1;this.flagName=b};_.$y.prototype.ctor=function(a){return typeof a==="boolean"?a:this.defaultValue};_.az=function(){this.ka=!0;var a=_.vj(_.dk(_.Be("TSDtV",window),_.zya),_.uu,1,_.qj())[0];if(a){var b={};for(var c=_.n(_.vj(a,_.Aya,2,_.qj())),d=c.next();!d.done;d=c.next()){d=d.value;var e=_.Jj(d,1).toString();switch(_.tj(d,_.vu)){case 3:b[e]=_.Hj(d,_.lj(d,_.vu,3));break;case 2:b[e]=_.Jj(d,_.lj(d,_.vu,2));break;case 4:b[e]=_.Kj(d,_.lj(d,_.vu,4));break;case 5:b[e]=_.Lj(d,_.lj(d,_.vu,5));break;case 6:b[e]=_.Pj(d,_.ff,6,_.vu);break;default:throw Error("jd`"+_.tj(d,_.vu));}}}else b={};this.ea=b;this.token=.a?a.da():null};_.az.prototype.aa=function(a){if(!this.ka||a.key in this.ea)a=a.ctor(this.ea[a.key]);else if(_.Be("nQyAE",window)){var b=_.Cya(a.flagName);if(b===null)a=a.de

                                                      Chrome Cache Entry: 92

                                                      Download File
                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                      File Type:ASCII text, with very long lines (5693)
                                                      Category:downloaded
                                                      Size (bytes):698314
                                                      Entropy (8bit):5.595120835898624
                                                      Encrypted:false
                                                      SSDEEP:6144:TJvaKtQfcxene0F2HhPM8RGYcBlKmd5r6XISxi7SlncOpYMSrBg5X3O4mAEFD7:TJyKtkIct842ISxXJ09
                                                      MD5:F82438F9EAD5F57493C673008EED9E09
                                                      SHA1:E4681E68FD66D8C76C6ACBC21E2C45F36FD645BC
                                                      SHA-256:B4B092F54EAAA82BFAA159B8D61FB867B51C3067CBD60F4904A205A11F503250
                                                      SHA-512:89027A7B1B3A080D40411F2E6E3B62BF57AC60879223566E71BD41D900C17051F0A058EFE04F8F1FED5E05DC54617D7A86F83D21BDED0F79347795C8B980B4B2
                                                      Malicious:false
                                                      URL:"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBimEQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=LEikZe,_b,_tp,byfTOb,lsjVmc/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlFwPDENALwio0taw23fxitsQJhhiA/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=n73qwf,SCuOPb,IZT63,vfuNJf,UUJqVe,ws9Tlc,siKnQd,XVq9Qb,STuCOe,njlZCf,m9oV,vjKJJ,y5vRwf,iyZMqd,NTMZac,mzzZzc,rCcCxc,vvMGie,K1ZKnb,ziZ8Mc,b3kMqb,mvkUhe,CMcBD,Fndnac,t2srLd,EN3i8d,z0u0L,xiZRqc,NOeYWe,O6y8ed,L9OGUe,PrPYRd,MpJwZc,qPfo0c,cYShmd,hc6Ubd,Rkm0ef,KUM7Z,oLggrd,inNHtf,L1AAkb,WpP9Yc,lwddkf,gJzDyc,SpsfSb,aC1iue,tUnxGc,aW3pY,ZakeSe,EFQ78c,xQtZb,I6YDgd,zbML3c,zr1jrb,vHEMJe,YHI3We,YTxL4,bSspM,Uas9Hd,zy0vNb,K0PMbc,AvtSve,qmdT9,MY7mZe,xBaz7b,GwYlN,eVCnO,EIOG1e,LDQI"
                                                      Preview:"use strict";_F_installCss(".r4WGQb{position:relative}.Dl08I>:first-child{margin-top:0}.Dl08I>:last-child{margin-bottom:0}.IzwVE{color:#1f1f1f;color:var(--gm3-sys-color-on-surface,#1f1f1f);font-family:\"Google Sans\",roboto,\"Noto Sans Myanmar UI\",arial,sans-serif;font-size:1.25rem;font-weight:400;letter-spacing:0rem;line-height:1.2}.l5PPKe{color:#1f1f1f;color:var(--gm3-sys-color-on-surface,#1f1f1f);font-size:1rem}.l5PPKe .dMNVAe{margin:0;padding:0}.l5PPKe>:first-child{margin-top:0;padding-top:0}.l5PPKe>:last-child{margin-bottom:0;padding-bottom:0}.Dl08I{margin:0;padding:0;position:relative}.Dl08I>.SmR8:only-child{padding-top:1px}.Dl08I>.SmR8:only-child::before{top:0}.Dl08I>.SmR8:not(first-child){padding-bottom:1px}.Dl08I>.SmR8::after{bottom:0}.Dl08I>.SmR8:only-child::before,.Dl08I>.SmR8::after{border-bottom:1px solid #c4c7c5;border-bottom:1px solid var(--gm3-sys-color-outline-variant,#c4c7c5);content:\"\";height:0;left:0;position:absolute;width:100%}.aZvCDf{margin-top:8px;margin-left

                                                      Chrome Cache Entry: 93

                                                      Download File
                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                      File Type:Web Open Font Format (Version 2), TrueType, length 52280, version 1.0
                                                      Category:downloaded
                                                      Size (bytes):52280
                                                      Entropy (8bit):7.995413196679271
                                                      Encrypted:true
                                                      SSDEEP:1536:1rvqtK8DZilXxwJ8mMwAZy7phqsFLdG3B4d:xytBZits8bw4wzbFxG3B4d
                                                      MD5:F61F0D4D0F968D5BBA39A84C76277E1A
                                                      SHA1:AA3693EA140ECA418B4B2A30F6A68F6F43B4BEB2
                                                      SHA-256:57147F08949ABABE7DEEF611435AE418475A693E3823769A25C2A39B6EAD9CCC
                                                      SHA-512:6C3BD90F709BCF9151C9ED9FFEA55C4F6883E7FDA2A4E26BF018C83FE1CFBE4F4AA0DB080D6D024070D53B2257472C399C8AC44EEFD38B9445640EFA85D5C487
                                                      Malicious:false
                                                      URL:https://fonts.gstatic.com/s/googlesans/v58/4UaRrENHsxJlGDuGo1OIlJfC6l_24rlCK1Yo_Iq2vgCI.woff2
                                                      Preview:wOF2.......8.....................................^...$..4?HVAR..?MVAR9.`?STAT.*',..J/.......`..(..Z.0..R.6.$.... .....K..[..q..c..T.....>.P.j.`.w..#...%......N.".....$..3.0.6......... .L.rX/r[j.y.|*(.4.%#.....2.v.m..-..%.....;-.Y.{..&..O=#l@...k..7g..ZI...#.Z./+T..r7...M..3).Z%.x....s..sL..[A!.5*1w'/.8V..2Z..%.X.h.o.).]..9..Q`.$.....7..kZ.~O........d..g.n.d.Rw+&....Cz..uy#..fz,(.J....v.%..`..9.....h...?O..:...c%.....6s....xl..#...5..._......1.>.)"U.4 W....?%......6//!$...!.n9C@n...........!""^.....W..Z<.7.x.."UT.T....E.."R>.R..t.....H d..e_.K../.+8.Q.P.ZQ....;...U....]......._.e*......71.?.7.ORv.?...l...G|.P...|:...I.X..2.,.L........d.g.]}W#uW]QnuP-s.;.-Y.....].......C..j_.M0...y.......J..........NY..@A...,....-.F......'..w./j5g.vUS...U..0.&...y7.LP.....%.....Y......Y..D. e.A..G.?.$.......6...eaK.n5.m...N...,...+BCl..L> .E9~.b[.w.x....6<...}.e...%V....O.......*.?...a..#[eE.4..p..$...].....%......o._......N.._~..El....b..A.0.r8.....|..D.d..

                                                      Chrome Cache Entry: 94

                                                      Download File
                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                      File Type:ASCII text, with very long lines (755)
                                                      Category:downloaded
                                                      Size (bytes):1460
                                                      Entropy (8bit):5.291808298251231
                                                      Encrypted:false
                                                      SSDEEP:24:kMYD7DuZvuhqCsNRxoYTY9/qoVk7hz1l2p6vDMW94uEQOeGbCx4VGbgCSFBV87OU:o7DuZWhv6oy12kvwKEeGbC6GbHSh/Hrw
                                                      MD5:4CA7ADFE744A690411EA4D3EA8DB9E4B
                                                      SHA1:2CF1777A199E25378D330DA68BED1871B5C5BC32
                                                      SHA-256:128129BA736B3094323499B0498A5B3A909C1529717461C34B70080A5B1603BD
                                                      SHA-512:8BD3477AF41D1F0FE74AFFCB177BEC0F5F4FDCBBA6BD29D9C2567E6FFDEF5DEB7FF74BF348F33209C39D7BB4958E748DF6731D3DC8F6947352276BC92EAF9E79
                                                      Malicious:false
                                                      URL:"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBimEQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlFwPDENALwio0taw23fxitsQJhhiA/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=P6sQOc"
                                                      Preview:"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi||{};(function(_){var window=this;.try{._.k("lOO0Vd");._.VZa=new _.pf(_.Am);._.l();._.k("P6sQOc");.var $Za=!!(_.Kh[1]&16);var b_a=function(a,b,c,d,e){this.ea=a;this.wa=b;this.ka=c;this.Ca=d;this.Ga=e;this.aa=0;this.da=a_a(this)},c_a=function(a){var b={};_.La(a.yS(),function(e){b[e]=!0});var c=a.pS(),d=a.tS();return new b_a(a.qP(),c.aa()*1E3,a.WR(),d.aa()*1E3,b)},a_a=function(a){return Math.random()*Math.min(a.wa*Math.pow(a.ka,a.aa),a.Ca)},OG=function(a,b){return a.aa>=a.ea?!1:b!=null?!!a.Ga[b]:!0};var PG=function(a){_.W.call(this,a.Fa);this.da=a.Ea.EV;this.ea=a.Ea.metadata;a=a.Ea.Xga;this.fetch=a.fetch.bind(a)};_.J(PG,_.W);PG.Ba=function(){return{Ea:{EV:_.YZa,metadata:_.VZa,Xga:_.OZa}}};PG.prototype.aa=function(a,b){if(this.ea.getType(a.Od())!==1)return _.Sm(a);var c=this.da.eV;return(c=c?c_a(c):null)&&OG(c)?_.wya(a,d_a(this,a,b,c)):_.Sm(a)};.var d_a=function(a,b,c,d){return c.then(function(e){return e},function(e)

                                                      Chrome Cache Entry: 95

                                                      Download File
                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                      File Type:ASCII text, with very long lines (1694)
                                                      Category:downloaded
                                                      Size (bytes):32500
                                                      Entropy (8bit):5.378903546681047
                                                      Encrypted:false
                                                      SSDEEP:768:zYlbuROstb0e39nKGrkysU0smpu4OLOdzIf1p/5GeSsngurz6aKEEEGo/:zYl61Cysbu4OLOdzIfrIen72ZFo/
                                                      MD5:BF4BF9728A7C302FBA5B14F3D0F1878B
                                                      SHA1:2607CA7A93710D629400077FF3602CB207E6F53D
                                                      SHA-256:8981E7B228DF7D6A8797C0CD1E9B0F1F88337D5F0E1C27A04E7A57D2C4309798
                                                      SHA-512:AC9E170FC3AFDC0CF6BB8E926B93EF129A5FAD1BBA51B60BABCF3555E9B652E98F86A00FB099879DED35DD3FFE72ECFA597E20E6CA8CF402BEDEC40F78412EDA
                                                      Malicious:false
                                                      URL:"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBimEQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=_b,_tp/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlFwPDENALwio0taw23fxitsQJhhiA/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=byfTOb,lsjVmc,LEikZe"
                                                      Preview:"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi||{};(function(_){var window=this;.try{.var Aua=function(a,b){this.da=a;this.ea=b;if(!c){var c=new _.ap("//www.google.com/images/cleardot.gif");_.op(c)}this.ka=c};_.h=Aua.prototype;_.h.Zc=null;_.h.lZ=1E4;_.h.bA=!1;_.h.nQ=0;_.h.zJ=null;_.h.bV=null;_.h.setTimeout=function(a){this.lZ=a};_.h.start=function(){if(this.bA)throw Error("dc");this.bA=!0;this.nQ=0;Bua(this)};_.h.stop=function(){Cua(this);this.bA=!1};.var Bua=function(a){a.nQ++;navigator!==null&&"onLine"in navigator&&!navigator.onLine?_.km((0,_.bg)(a.aH,a,!1),0):(a.aa=new Image,a.aa.onload=(0,_.bg)(a.Fja,a),a.aa.onerror=(0,_.bg)(a.Eja,a),a.aa.onabort=(0,_.bg)(a.Dja,a),a.zJ=_.km(a.Gja,a.lZ,a),a.aa.src=String(a.ka))};_.h=Aua.prototype;_.h.Fja=function(){this.aH(!0)};_.h.Eja=function(){this.aH(!1)};_.h.Dja=function(){this.aH(!1)};_.h.Gja=function(){this.aH(!1)};._.h.aH=function(a){Cua(this);a?(this.bA=!1,this.da.call(this.ea,!0)):this.nQ<=0?Bua(this):(this.bA=!1,

                                                      Chrome Cache Entry: 96

                                                      Download File
                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                      File Type:HTML document, ASCII text, with very long lines (681)
                                                      Category:downloaded
                                                      Size (bytes):4066
                                                      Entropy (8bit):5.363016925556486
                                                      Encrypted:false
                                                      SSDEEP:96:G2CiFZX5BReR68ujioIRVrqtyzBeTV6SfyAKLif9c7w:bCMZXVeR6jiosVrqtyzBaImyAKw9x
                                                      MD5:FC5E597D923838E10390DADD12651A81
                                                      SHA1:C9959F8D539DB5DF07B8246EC12539B6A9CC101F
                                                      SHA-256:A7EBD5280C50AE93C061EAE1E9727329E015E97531F8F2D82D0E3EA76ADB37B4
                                                      SHA-512:784CA572808F184A849388723FBB3701E6981D885BBA8A330A933F90BF0B36A2E4A491D4463A27911B1D9F7A7134F23E15F187FC7CB4554EAE9BC252513EED7C
                                                      Malicious:false
                                                      URL:"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBimEQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlFwPDENALwio0taw23fxitsQJhhiA/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=sOXFj,q0xTif,ZZ4WUe"
                                                      Preview:"use strict";_F_installCss(".N7rBcd{overflow-x:auto}sentinel{}");.this.default_AccountsSignInUi=this.default_AccountsSignInUi||{};(function(_){var window=this;.try{._.vg(_.aqa);._.k("sOXFj");.var tu=function(a){_.W.call(this,a.Fa)};_.J(tu,_.W);tu.Ba=_.W.Ba;tu.prototype.aa=function(a){return a()};_.nu(_.$pa,tu);._.l();._.k("oGtAuc");._.yya=new _.pf(_.aqa);._.l();._.k("q0xTif");.var sza=function(a){var b=function(d){_.Sn(d)&&(_.Sn(d).Jc=null,_.Du(d,null));d.XyHi9&&(d.XyHi9=null)};b(a);a=a.querySelectorAll("[c-wiz]");for(var c=0;c<a.length;c++)b(a[c])},Pu=function(a){_.kt.call(this,a.Fa);this.Qa=this.dom=null;if(this.kl()){var b=_.zm(this.Ug(),[_.Em,_.Dm]);b=_.ni([b[_.Em],b[_.Dm]]).then(function(c){this.Qa=c[0];this.dom=c[1]},null,this);_.hu(this,b)}this.Ra=a.lm.zea};_.J(Pu,_.kt);Pu.Ba=function(){return{lm:{zea:function(a){return _.Ue(a)}}}};Pu.prototype.zp=function(a){return this.Ra.zp(a)};.Pu.prototype.getData=function(a){return this.Ra.getData(a)};Pu.prototype.qo=function(){_.Kt(this.d

                                                      Chrome Cache Entry: 97

                                                      Download File
                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:downloaded
                                                      Size (bytes):84
                                                      Entropy (8bit):4.875266466142591
                                                      Encrypted:false
                                                      SSDEEP:3:DZFJu0+WVTBCq2Bjdw2KsJJuYHSKnZ:lFJuuVTBudw29nu4SKZ
                                                      MD5:87B6333E98B7620EA1FF98D1A837A39E
                                                      SHA1:105DE6815B0885357DE1414BFC0D77FCC9E924EF
                                                      SHA-256:DCD3C133C5C40BECD4100BBE6EDAE84C9735E778E4234A5E8395C56FF8A733BA
                                                      SHA-512:867D7943D813685FAA76394E53199750C55817E836FD19C933F74D11E9657CE66719A6D6B2E39EE1DE62358BCE364E38A55F4E138DF92337DE6985DDCD5D0994
                                                      Malicious:false
                                                      URL:https://content-autofill.googleapis.com/v1/pages/ChVDaHJvbWUvMTE3LjAuNTkzOC4xMzQSHgmA6QC9dWevzxIFDRkBE_oSBQ3oIX6GEgUN05ioBw==?alt=proto
                                                      Preview:Cj0KBw0ZARP6GgAKKQ3oIX6GGgQISxgCKhwIClIYCg5AIS4jJF8qLSY/Ky8lLBABGP////8PCgcN05ioBxoA

                                                      Chrome Cache Entry: 98

                                                      Download File
                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                      File Type:ASCII text, with very long lines (468)
                                                      Category:downloaded
                                                      Size (bytes):1858
                                                      Entropy (8bit):5.298162049824456
                                                      Encrypted:false
                                                      SSDEEP:48:o7vGoolL3ALFKphnpiu7xOKAcfO/3d/rYh4vZorw:o/QLUFUL4KA+2y0Mw
                                                      MD5:CE055F881BDAB4EF6C1C8AA4B3890348
                                                      SHA1:2671741A70E9F5B608F690AAEEA4972003747654
                                                      SHA-256:9B91C23691D6032CDFE28863E369624B2EDB033E1487A1D1BB0977E3590E5462
                                                      SHA-512:8A22250628985C2E570E6FBADFC0D5CB6753F0735130F9E74962A409476C2859C5C81F8A0F5C427A9F13ED399C8E251FA43FF67AD5F16860640D45E7A538E857
                                                      Malicious:false
                                                      URL:"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBimEQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,P6sQOc,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZDZcre,ZZ4WUe,ZakeSe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,w9hDv,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlFwPDENALwio0taw23fxitsQJhhiA/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=iAskyc,ziXSP"
                                                      Preview:"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi||{};(function(_){var window=this;.try{._.k("iAskyc");._.QZ=function(a){_.W.call(this,a.Fa);this.window=a.Ea.window.get();this.Nc=a.Ea.Nc};_.J(_.QZ,_.W);_.QZ.Ba=function(){return{Ea:{window:_.qu,Nc:_.DE}}};_.QZ.prototype.Po=function(){};_.QZ.prototype.addEncryptionRecoveryMethod=function(){};_.RZ=function(a){return(a==null?void 0:a.Jo)||function(){}};_.SZ=function(a){return(a==null?void 0:a.m3)||function(){}};_.GPb=function(a){return(a==null?void 0:a.Op)||function(){}};._.HPb=function(a){return new Map(Array.from(a,function(b){var c=_.n(b);b=c.next().value;c=c.next().value;return[b,c.map(function(d){return{epoch:d.epoch,key:new Uint8Array(d.key)}})]}))};_.IPb=function(a){setTimeout(function(){throw a;},0)};_.QZ.prototype.kO=function(){return!0};_.nu(_.An,_.QZ);._.l();._.k("ziXSP");.var j_=function(a){_.QZ.call(this,a.Fa)};_.J(j_,_.QZ);j_.Ba=_.QZ.Ba;j_.prototype.Po=function(a,b,c){var d;if((d=this.window.chrome)==nu

                                                      Chrome Cache Entry: 99

                                                      Download File
                                                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                      File Type:ASCII text, with very long lines (683)
                                                      Category:downloaded
                                                      Size (bytes):3131
                                                      Entropy (8bit):5.355381206612617
                                                      Encrypted:false
                                                      SSDEEP:48:o7FEEM3MtH15jNQ8jsK3rnw0dkckTrKEp/OqLE9xz0W5Bzv3M6hIHYA+JITbwrF8:oq675jOArwoAmI/DLaxNPL5m+m6w
                                                      MD5:E2A7251AD83A0D0634FEA2703D10ED07
                                                      SHA1:90D72011F31FC40D3DA3748F2817F90A29EB5C01
                                                      SHA-256:1079B49C4AAF5C10E4F2E6A086623F40D200A71FF2A1F64E88AA6C91E4BE7A6F
                                                      SHA-512:CD6D75580EA8BD97CF7C7C0E0BD9D9A54FB6EA7DF1DDB5A95E94D38B260F9EE1425C640839ECD229B8D01E145CF2786CA374D31EC537EB8FE17FF415D5B985F5
                                                      Malicious:false
                                                      URL:"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.RgRbaBHDctU.es5.O/ck=boq-identity.AccountsSignInUi.gAiX_O5afVA.L.B1.O/am=xIFgKBimEQjEE54DekBRIOQAAAAAAAAAAKANAAB0DA/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EIOG1e,EN3i8d,Fndnac,GwYlN,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MY7mZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,WpP9Yc,XVq9Qb,YHI3We,YTxL4,YgOFye,ZakeSe,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,cYShmd,eVCnO,f8Gu1e,gJzDyc,hc6Ubd,inNHtf,iyZMqd,lsjVmc,ltDFwf,lwddkf,m9oV,mvkUhe,mzzZzc,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rCcCxc,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,vjKJJ,vvMGie,ws9Tlc,xBaz7b,xQtZb,xiZRqc,y5vRwf,yRXbo,ywOR5c,z0u0L,zbML3c,ziZ8Mc,zr1jrb,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlFwPDENALwio0taw23fxitsQJhhiA/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:GwYlN;EmZ2Bf:zr1jrb;JsbNhc:Xd8iUd;K5nYTd:ZDZcre;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;ScI3Yc:e7Hzgb;UpnZUd:nnwwYc;Uvc8o:VDovNc;XdiAjb:NLiXbe;YIZmRd:A1yn5d;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;dowIGb:ebZ3mb;eBAeSb:zbML3c;iFQyKf:vfuNJf;lOO0Vd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qafBPd:yDVVkb;qddgKe:xQtZb;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=ZwDk9d,RMhBfe"
                                                      Preview:"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi||{};(function(_){var window=this;.try{._.k("ZwDk9d");.var gA=function(a){_.W.call(this,a.Fa)};_.J(gA,_.W);gA.Ba=_.W.Ba;gA.prototype.eS=function(a){return _.Xe(this,{Xa:{gT:_.ll}}).then(function(b){var c=window._wjdd,d=window._wjdc;return!c&&d?new _.li(function(e){window._wjdc=function(f){d(f);e(ZJa(f,b,a))}}):ZJa(c,b,a)})};var ZJa=function(a,b,c){return(a=a&&a[c])?a:b.Xa.gT.eS(c)};.gA.prototype.aa=function(a,b){var c=_.Zra(b).Rj;if(c.startsWith("$")){var d=_.gm.get(a);_.uq[b]&&(d||(d={},_.gm.set(a,d)),d[c]=_.uq[b],delete _.uq[b],_.vq--);if(d)if(a=d[c])b=_.af(a);else throw Error("Jb`"+b);else b=null}else b=null;return b};_.nu(_.Lfa,gA);._.l();._.k("SNUn3");._.YJa=new _.pf(_.wg);._.l();._.k("RMhBfe");.var $Ja=function(a){var b=_.tq(a);return b?new _.li(function(c,d){var e=function(){b=_.tq(a);var f=_.Sfa(a,b);f?c(f.getAttribute("jsdata")):window.document.readyState=="complete"?(f=["Unable to find deferred jsdata wit

                                                      Static File Info

                                                      General

                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                      Entropy (8bit):6.58221928263921
                                                      TrID:
                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                      • DOS Executable Generic (2002/1) 0.02%
                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                      File name:file.exe
                                                      File size:918'528 bytes
                                                      MD5:a58015bc46c585ae2b5c5f865221c456
                                                      SHA1:bce6af797b2e61a75381ea1a2d329281a0dd0dac
                                                      SHA256:ef56b64524f304085da2403cb4a67c8fe19c9d0389b3ae749f3fce8d8efb69ad
                                                      SHA512:2f6b1376d5de5c9133bb8e3289a4c07bd2b056b2dd0fa471aa4422c16d9d1fa8062a8e304654b8d6581406b6ef1e1e690d00bb526cf57424fd4a68ec16294ade
                                                      SSDEEP:12288:hqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDganTf:hqDEvCTbMWu7rQYlBQcBiT6rprG8aTf
                                                      TLSH:51159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
                                                      File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

                                                      File Icon

                                                      Icon Hash:aaf3e3e3938382a0

                                                      Static PE Info

                                                      General

                                                      Entrypoint:0x420577
                                                      Entrypoint Section:.text
                                                      Digitally signed:false
                                                      Imagebase:0x400000
                                                      Subsystem:windows gui
                                                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                      DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                      Time Stamp:0x66FD7188 [Wed Oct 2 16:15:04 2024 UTC]
                                                      TLS Callbacks:
                                                      CLR (.Net) Version:
                                                      OS Version Major:5
                                                      OS Version Minor:1
                                                      File Version Major:5
                                                      File Version Minor:1
                                                      Subsystem Version Major:5
                                                      Subsystem Version Minor:1
                                                      Import Hash:948cc502fe9226992dce9417f952fce3

                                                      Entrypoint Preview

                                                      Instruction
                                                      call 00007FD70CD0B9C3h
                                                      jmp 00007FD70CD0B2CFh
                                                      push ebp
                                                      mov ebp, esp
                                                      push esi
                                                      push dword ptr [ebp+08h]
                                                      mov esi, ecx
                                                      call 00007FD70CD0B4ADh
                                                      mov dword ptr [esi], 0049FDF0h
                                                      mov eax, esi
                                                      pop esi
                                                      pop ebp
                                                      retn 0004h
                                                      and dword ptr [ecx+04h], 00000000h
                                                      mov eax, ecx
                                                      and dword ptr [ecx+08h], 00000000h
                                                      mov dword ptr [ecx+04h], 0049FDF8h
                                                      mov dword ptr [ecx], 0049FDF0h
                                                      ret
                                                      push ebp
                                                      mov ebp, esp
                                                      push esi
                                                      push dword ptr [ebp+08h]
                                                      mov esi, ecx
                                                      call 00007FD70CD0B47Ah
                                                      mov dword ptr [esi], 0049FE0Ch
                                                      mov eax, esi
                                                      pop esi
                                                      pop ebp
                                                      retn 0004h
                                                      and dword ptr [ecx+04h], 00000000h
                                                      mov eax, ecx
                                                      and dword ptr [ecx+08h], 00000000h
                                                      mov dword ptr [ecx+04h], 0049FE14h
                                                      mov dword ptr [ecx], 0049FE0Ch
                                                      ret
                                                      push ebp
                                                      mov ebp, esp
                                                      push esi
                                                      mov esi, ecx
                                                      lea eax, dword ptr [esi+04h]
                                                      mov dword ptr [esi], 0049FDD0h
                                                      and dword ptr [eax], 00000000h
                                                      and dword ptr [eax+04h], 00000000h
                                                      push eax
                                                      mov eax, dword ptr [ebp+08h]
                                                      add eax, 04h
                                                      push eax
                                                      call 00007FD70CD0E06Dh
                                                      pop ecx
                                                      pop ecx
                                                      mov eax, esi
                                                      pop esi
                                                      pop ebp
                                                      retn 0004h
                                                      lea eax, dword ptr [ecx+04h]
                                                      mov dword ptr [ecx], 0049FDD0h
                                                      push eax
                                                      call 00007FD70CD0E0B8h
                                                      pop ecx
                                                      ret
                                                      push ebp
                                                      mov ebp, esp
                                                      push esi
                                                      mov esi, ecx
                                                      lea eax, dword ptr [esi+04h]
                                                      mov dword ptr [esi], 0049FDD0h
                                                      push eax
                                                      call 00007FD70CD0E0A1h
                                                      test byte ptr [ebp+08h], 00000001h
                                                      pop ecx

                                                      Rich Headers

                                                      Programming Language:
                                                      • [ C ] VS2008 SP1 build 30729
                                                      • [IMP] VS2008 SP1 build 30729

                                                      Data Directories

                                                      NameVirtual AddressVirtual Size Is in Section
                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xc8e640x17c.rdata
                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xd40000x9900.rsrc
                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xde0000x7594.reloc
                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0xb0ff00x1c.rdata
                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_TLS0xc34000x18.rdata
                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb10100x40.rdata
                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IAT0x9c0000x894.rdata
                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                      Sections

                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                      .text0x10000x9ab1d0x9ac000a1473f3064dcbc32ef93c5c8a90f3a6False0.565500681542811data6.668273581389308IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                      .rdata0x9c0000x2fb820x2fc00c9cf2468b60bf4f80f136ed54b3989fbFalse0.35289185209424084data5.691811547483722IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .data0xcc0000x706c0x480053b9025d545d65e23295e30afdbd16d9False0.04356553819444445DOS executable (block device driver @\273\)0.5846666986982398IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                      .rsrc0xd40000x99000x9a00e2e5d7e76ec32fd73e2c899ef184883cFalse0.3019987824675325data5.276832040543936IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .reloc0xde0000x75940x7600c68ee8931a32d45eb82dc450ee40efc3False0.7628111758474576data6.7972128181359786IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                      Resources

                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                      RT_ICON0xd45a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                      RT_ICON0xd46d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                      RT_ICON0xd47f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                      RT_ICON0xd49200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                      RT_ICON0xd4c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                      RT_ICON0xd4d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                      RT_ICON0xd5bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                      RT_ICON0xd64800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                      RT_ICON0xd69e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                      RT_ICON0xd8f900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                      RT_ICON0xda0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                      RT_MENU0xda4a00x50dataEnglishGreat Britain0.9
                                                      RT_STRING0xda4f00x594dataEnglishGreat Britain0.3333333333333333
                                                      RT_STRING0xdaa840x68adataEnglishGreat Britain0.2735961768219833
                                                      RT_STRING0xdb1100x490dataEnglishGreat Britain0.3715753424657534
                                                      RT_STRING0xdb5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                                      RT_STRING0xdbb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                                      RT_STRING0xdc1f80x466dataEnglishGreat Britain0.3605683836589698
                                                      RT_STRING0xdc6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                      RT_RCDATA0xdc7b80xbc6data1.0036496350364963
                                                      RT_GROUP_ICON0xdd3800x76dataEnglishGreat Britain0.6610169491525424
                                                      RT_GROUP_ICON0xdd3f80x14dataEnglishGreat Britain1.25
                                                      RT_GROUP_ICON0xdd40c0x14dataEnglishGreat Britain1.15
                                                      RT_GROUP_ICON0xdd4200x14dataEnglishGreat Britain1.25
                                                      RT_VERSION0xdd4340xdcdataEnglishGreat Britain0.6181818181818182
                                                      RT_MANIFEST0xdd5100x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                                      Imports

                                                      DLLImport
                                                      WSOCK32.dllgethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
                                                      VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                                                      WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                      COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                      MPR.dllWNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
                                                      WININET.dllHttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
                                                      PSAPI.DLLGetProcessMemoryInfo
                                                      IPHLPAPI.DLLIcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
                                                      USERENV.dllDestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
                                                      UxTheme.dllIsThemeActive
                                                      KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
                                                      USER32.dllGetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
                                                      GDI32.dllEndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
                                                      COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                                      ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
                                                      SHELL32.dllDragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
                                                      ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                                                      OLEAUT32.dllCreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

                                                      Possible Origin

                                                      Language of compilation systemCountry where language is spokenMap
                                                      EnglishGreat Britain

                                                      Network Behavior

                                                      Network Port Distribution

                                                      TCP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Oct 2, 2024 18:56:50.138813972 CEST49674443192.168.2.6173.222.162.64
                                                      Oct 2, 2024 18:56:50.138813972 CEST49673443192.168.2.6173.222.162.64
                                                      Oct 2, 2024 18:56:50.451287985 CEST49672443192.168.2.6173.222.162.64
                                                      Oct 2, 2024 18:56:56.652728081 CEST49710443192.168.2.640.115.3.253
                                                      Oct 2, 2024 18:56:56.652779102 CEST4434971040.115.3.253192.168.2.6
                                                      Oct 2, 2024 18:56:56.652888060 CEST49710443192.168.2.640.115.3.253
                                                      Oct 2, 2024 18:56:56.653559923 CEST49710443192.168.2.640.115.3.253
                                                      Oct 2, 2024 18:56:56.653578043 CEST4434971040.115.3.253192.168.2.6
                                                      Oct 2, 2024 18:56:56.987377882 CEST49714443192.168.2.6142.250.185.206
                                                      Oct 2, 2024 18:56:56.987421036 CEST44349714142.250.185.206192.168.2.6
                                                      Oct 2, 2024 18:56:56.987472057 CEST49714443192.168.2.6142.250.185.206
                                                      Oct 2, 2024 18:56:56.988241911 CEST49714443192.168.2.6142.250.185.206
                                                      Oct 2, 2024 18:56:56.988255978 CEST44349714142.250.185.206192.168.2.6
                                                      Oct 2, 2024 18:56:57.447242022 CEST4434971040.115.3.253192.168.2.6
                                                      Oct 2, 2024 18:56:57.447315931 CEST49710443192.168.2.640.115.3.253
                                                      Oct 2, 2024 18:56:57.453346968 CEST49710443192.168.2.640.115.3.253
                                                      Oct 2, 2024 18:56:57.453360081 CEST4434971040.115.3.253192.168.2.6
                                                      Oct 2, 2024 18:56:57.453682899 CEST4434971040.115.3.253192.168.2.6
                                                      Oct 2, 2024 18:56:57.456466913 CEST49710443192.168.2.640.115.3.253
                                                      Oct 2, 2024 18:56:57.456526041 CEST49710443192.168.2.640.115.3.253
                                                      Oct 2, 2024 18:56:57.456533909 CEST4434971040.115.3.253192.168.2.6
                                                      Oct 2, 2024 18:56:57.456665039 CEST49710443192.168.2.640.115.3.253
                                                      Oct 2, 2024 18:56:57.499407053 CEST4434971040.115.3.253192.168.2.6
                                                      Oct 2, 2024 18:56:57.626754045 CEST4434971040.115.3.253192.168.2.6
                                                      Oct 2, 2024 18:56:57.627005100 CEST4434971040.115.3.253192.168.2.6
                                                      Oct 2, 2024 18:56:57.627058029 CEST49710443192.168.2.640.115.3.253
                                                      Oct 2, 2024 18:56:57.627258062 CEST49710443192.168.2.640.115.3.253
                                                      Oct 2, 2024 18:56:57.627274990 CEST4434971040.115.3.253192.168.2.6
                                                      Oct 2, 2024 18:56:57.631192923 CEST44349714142.250.185.206192.168.2.6
                                                      Oct 2, 2024 18:56:57.631464005 CEST49714443192.168.2.6142.250.185.206
                                                      Oct 2, 2024 18:56:57.631472111 CEST44349714142.250.185.206192.168.2.6
                                                      Oct 2, 2024 18:56:57.632078886 CEST44349714142.250.185.206192.168.2.6
                                                      Oct 2, 2024 18:56:57.632147074 CEST49714443192.168.2.6142.250.185.206
                                                      Oct 2, 2024 18:56:57.632781029 CEST44349714142.250.185.206192.168.2.6
                                                      Oct 2, 2024 18:56:57.632834911 CEST49714443192.168.2.6142.250.185.206
                                                      Oct 2, 2024 18:56:57.633780003 CEST49714443192.168.2.6142.250.185.206
                                                      Oct 2, 2024 18:56:57.633848906 CEST44349714142.250.185.206192.168.2.6
                                                      Oct 2, 2024 18:56:57.634026051 CEST49714443192.168.2.6142.250.185.206
                                                      Oct 2, 2024 18:56:57.634035110 CEST44349714142.250.185.206192.168.2.6
                                                      Oct 2, 2024 18:56:57.685504913 CEST49714443192.168.2.6142.250.185.206
                                                      Oct 2, 2024 18:56:57.939680099 CEST44349714142.250.185.206192.168.2.6
                                                      Oct 2, 2024 18:56:57.939915895 CEST44349714142.250.185.206192.168.2.6
                                                      Oct 2, 2024 18:56:57.939969063 CEST49714443192.168.2.6142.250.185.206
                                                      Oct 2, 2024 18:56:57.941299915 CEST49714443192.168.2.6142.250.185.206
                                                      Oct 2, 2024 18:56:57.941322088 CEST44349714142.250.185.206192.168.2.6
                                                      Oct 2, 2024 18:56:57.952260971 CEST49717443192.168.2.6172.217.16.142
                                                      Oct 2, 2024 18:56:57.952301025 CEST44349717172.217.16.142192.168.2.6
                                                      Oct 2, 2024 18:56:57.952363968 CEST49717443192.168.2.6172.217.16.142
                                                      Oct 2, 2024 18:56:57.952625036 CEST49717443192.168.2.6172.217.16.142
                                                      Oct 2, 2024 18:56:57.952636003 CEST44349717172.217.16.142192.168.2.6
                                                      Oct 2, 2024 18:56:58.582395077 CEST44349717172.217.16.142192.168.2.6
                                                      Oct 2, 2024 18:56:58.582895041 CEST49717443192.168.2.6172.217.16.142
                                                      Oct 2, 2024 18:56:58.582967997 CEST44349717172.217.16.142192.168.2.6
                                                      Oct 2, 2024 18:56:58.583744049 CEST44349717172.217.16.142192.168.2.6
                                                      Oct 2, 2024 18:56:58.583841085 CEST49717443192.168.2.6172.217.16.142
                                                      Oct 2, 2024 18:56:58.584462881 CEST44349717172.217.16.142192.168.2.6
                                                      Oct 2, 2024 18:56:58.584525108 CEST49717443192.168.2.6172.217.16.142
                                                      Oct 2, 2024 18:56:58.586447954 CEST49717443192.168.2.6172.217.16.142
                                                      Oct 2, 2024 18:56:58.586518049 CEST44349717172.217.16.142192.168.2.6
                                                      Oct 2, 2024 18:56:58.586838961 CEST49717443192.168.2.6172.217.16.142
                                                      Oct 2, 2024 18:56:58.586847067 CEST44349717172.217.16.142192.168.2.6
                                                      Oct 2, 2024 18:56:58.637231112 CEST49717443192.168.2.6172.217.16.142
                                                      Oct 2, 2024 18:56:58.893043041 CEST44349717172.217.16.142192.168.2.6
                                                      Oct 2, 2024 18:56:58.893059015 CEST44349717172.217.16.142192.168.2.6
                                                      Oct 2, 2024 18:56:58.893151045 CEST49717443192.168.2.6172.217.16.142
                                                      Oct 2, 2024 18:56:58.893183947 CEST44349717172.217.16.142192.168.2.6
                                                      Oct 2, 2024 18:56:58.893395901 CEST44349717172.217.16.142192.168.2.6
                                                      Oct 2, 2024 18:56:58.893549919 CEST49717443192.168.2.6172.217.16.142
                                                      Oct 2, 2024 18:56:58.896025896 CEST49717443192.168.2.6172.217.16.142
                                                      Oct 2, 2024 18:56:58.896045923 CEST44349717172.217.16.142192.168.2.6
                                                      Oct 2, 2024 18:56:58.896058083 CEST49717443192.168.2.6172.217.16.142
                                                      Oct 2, 2024 18:56:58.896301985 CEST49717443192.168.2.6172.217.16.142
                                                      Oct 2, 2024 18:56:59.746613979 CEST49674443192.168.2.6173.222.162.64
                                                      Oct 2, 2024 18:56:59.746613979 CEST49673443192.168.2.6173.222.162.64
                                                      Oct 2, 2024 18:57:00.059099913 CEST49672443192.168.2.6173.222.162.64
                                                      Oct 2, 2024 18:57:01.455008030 CEST49722443192.168.2.6142.250.184.228
                                                      Oct 2, 2024 18:57:01.455064058 CEST44349722142.250.184.228192.168.2.6
                                                      Oct 2, 2024 18:57:01.455152035 CEST49722443192.168.2.6142.250.184.228
                                                      Oct 2, 2024 18:57:01.455400944 CEST49722443192.168.2.6142.250.184.228
                                                      Oct 2, 2024 18:57:01.455415010 CEST44349722142.250.184.228192.168.2.6
                                                      Oct 2, 2024 18:57:01.759751081 CEST44349705173.222.162.64192.168.2.6
                                                      Oct 2, 2024 18:57:01.759896040 CEST49705443192.168.2.6173.222.162.64
                                                      Oct 2, 2024 18:57:02.028163910 CEST49725443192.168.2.6184.28.90.27
                                                      Oct 2, 2024 18:57:02.028189898 CEST44349725184.28.90.27192.168.2.6
                                                      Oct 2, 2024 18:57:02.028318882 CEST49725443192.168.2.6184.28.90.27
                                                      Oct 2, 2024 18:57:02.030396938 CEST49725443192.168.2.6184.28.90.27
                                                      Oct 2, 2024 18:57:02.030416012 CEST44349725184.28.90.27192.168.2.6
                                                      Oct 2, 2024 18:57:02.097619057 CEST44349722142.250.184.228192.168.2.6
                                                      Oct 2, 2024 18:57:02.097893000 CEST49722443192.168.2.6142.250.184.228
                                                      Oct 2, 2024 18:57:02.097904921 CEST44349722142.250.184.228192.168.2.6
                                                      Oct 2, 2024 18:57:02.098969936 CEST44349722142.250.184.228192.168.2.6
                                                      Oct 2, 2024 18:57:02.099045038 CEST49722443192.168.2.6142.250.184.228
                                                      Oct 2, 2024 18:57:02.100559950 CEST49722443192.168.2.6142.250.184.228
                                                      Oct 2, 2024 18:57:02.100626945 CEST44349722142.250.184.228192.168.2.6
                                                      Oct 2, 2024 18:57:02.153819084 CEST49722443192.168.2.6142.250.184.228
                                                      Oct 2, 2024 18:57:02.153832912 CEST44349722142.250.184.228192.168.2.6
                                                      Oct 2, 2024 18:57:02.203396082 CEST49722443192.168.2.6142.250.184.228
                                                      Oct 2, 2024 18:57:02.672251940 CEST44349725184.28.90.27192.168.2.6
                                                      Oct 2, 2024 18:57:02.672344923 CEST49725443192.168.2.6184.28.90.27
                                                      Oct 2, 2024 18:57:02.675796032 CEST49725443192.168.2.6184.28.90.27
                                                      Oct 2, 2024 18:57:02.675806046 CEST44349725184.28.90.27192.168.2.6
                                                      Oct 2, 2024 18:57:02.676064968 CEST44349725184.28.90.27192.168.2.6
                                                      Oct 2, 2024 18:57:02.715548992 CEST49725443192.168.2.6184.28.90.27
                                                      Oct 2, 2024 18:57:02.719625950 CEST49725443192.168.2.6184.28.90.27
                                                      Oct 2, 2024 18:57:02.767401934 CEST44349725184.28.90.27192.168.2.6
                                                      Oct 2, 2024 18:57:02.944381952 CEST44349725184.28.90.27192.168.2.6
                                                      Oct 2, 2024 18:57:02.944550037 CEST44349725184.28.90.27192.168.2.6
                                                      Oct 2, 2024 18:57:02.944613934 CEST49725443192.168.2.6184.28.90.27
                                                      Oct 2, 2024 18:57:02.946109056 CEST49725443192.168.2.6184.28.90.27
                                                      Oct 2, 2024 18:57:02.946126938 CEST44349725184.28.90.27192.168.2.6
                                                      Oct 2, 2024 18:57:02.946147919 CEST49725443192.168.2.6184.28.90.27
                                                      Oct 2, 2024 18:57:02.946155071 CEST44349725184.28.90.27192.168.2.6
                                                      Oct 2, 2024 18:57:02.990947008 CEST49728443192.168.2.6184.28.90.27
                                                      Oct 2, 2024 18:57:02.990984917 CEST44349728184.28.90.27192.168.2.6
                                                      Oct 2, 2024 18:57:02.991064072 CEST49728443192.168.2.6184.28.90.27
                                                      Oct 2, 2024 18:57:02.991491079 CEST49728443192.168.2.6184.28.90.27
                                                      Oct 2, 2024 18:57:02.991504908 CEST44349728184.28.90.27192.168.2.6
                                                      Oct 2, 2024 18:57:03.624835968 CEST44349728184.28.90.27192.168.2.6
                                                      Oct 2, 2024 18:57:03.624938965 CEST49728443192.168.2.6184.28.90.27
                                                      Oct 2, 2024 18:57:03.907696009 CEST49728443192.168.2.6184.28.90.27
                                                      Oct 2, 2024 18:57:03.907716990 CEST44349728184.28.90.27192.168.2.6
                                                      Oct 2, 2024 18:57:03.907998085 CEST44349728184.28.90.27192.168.2.6
                                                      Oct 2, 2024 18:57:03.909547091 CEST49728443192.168.2.6184.28.90.27
                                                      Oct 2, 2024 18:57:03.955399036 CEST44349728184.28.90.27192.168.2.6
                                                      Oct 2, 2024 18:57:04.099435091 CEST44349728184.28.90.27192.168.2.6
                                                      Oct 2, 2024 18:57:04.099505901 CEST44349728184.28.90.27192.168.2.6
                                                      Oct 2, 2024 18:57:04.099674940 CEST49728443192.168.2.6184.28.90.27
                                                      Oct 2, 2024 18:57:04.109028101 CEST49728443192.168.2.6184.28.90.27
                                                      Oct 2, 2024 18:57:04.109081030 CEST44349728184.28.90.27192.168.2.6
                                                      Oct 2, 2024 18:57:04.109111071 CEST49728443192.168.2.6184.28.90.27
                                                      Oct 2, 2024 18:57:04.109128952 CEST44349728184.28.90.27192.168.2.6
                                                      Oct 2, 2024 18:57:04.927989006 CEST49734443192.168.2.640.115.3.253
                                                      Oct 2, 2024 18:57:04.928009033 CEST4434973440.115.3.253192.168.2.6
                                                      Oct 2, 2024 18:57:04.928281069 CEST49734443192.168.2.640.115.3.253
                                                      Oct 2, 2024 18:57:04.928945065 CEST49734443192.168.2.640.115.3.253
                                                      Oct 2, 2024 18:57:04.928952932 CEST4434973440.115.3.253192.168.2.6
                                                      Oct 2, 2024 18:57:05.722731113 CEST4434973440.115.3.253192.168.2.6
                                                      Oct 2, 2024 18:57:05.722798109 CEST49734443192.168.2.640.115.3.253
                                                      Oct 2, 2024 18:57:05.725430965 CEST49734443192.168.2.640.115.3.253
                                                      Oct 2, 2024 18:57:05.725436926 CEST4434973440.115.3.253192.168.2.6
                                                      Oct 2, 2024 18:57:05.725655079 CEST4434973440.115.3.253192.168.2.6
                                                      Oct 2, 2024 18:57:05.727484941 CEST49734443192.168.2.640.115.3.253
                                                      Oct 2, 2024 18:57:05.727586985 CEST49734443192.168.2.640.115.3.253
                                                      Oct 2, 2024 18:57:05.727591038 CEST4434973440.115.3.253192.168.2.6
                                                      Oct 2, 2024 18:57:05.727732897 CEST49734443192.168.2.640.115.3.253
                                                      Oct 2, 2024 18:57:05.771408081 CEST4434973440.115.3.253192.168.2.6
                                                      Oct 2, 2024 18:57:05.902900934 CEST4434973440.115.3.253192.168.2.6
                                                      Oct 2, 2024 18:57:05.903549910 CEST4434973440.115.3.253192.168.2.6
                                                      Oct 2, 2024 18:57:05.906171083 CEST49734443192.168.2.640.115.3.253
                                                      Oct 2, 2024 18:57:05.906622887 CEST49734443192.168.2.640.115.3.253
                                                      Oct 2, 2024 18:57:05.906640053 CEST4434973440.115.3.253192.168.2.6
                                                      Oct 2, 2024 18:57:06.416629076 CEST49743443192.168.2.6142.250.185.174
                                                      Oct 2, 2024 18:57:06.416660070 CEST44349743142.250.185.174192.168.2.6
                                                      Oct 2, 2024 18:57:06.416850090 CEST49743443192.168.2.6142.250.185.174
                                                      Oct 2, 2024 18:57:06.417280912 CEST49743443192.168.2.6142.250.185.174
                                                      Oct 2, 2024 18:57:06.417293072 CEST44349743142.250.185.174192.168.2.6
                                                      Oct 2, 2024 18:57:07.163666964 CEST44349743142.250.185.174192.168.2.6
                                                      Oct 2, 2024 18:57:07.163957119 CEST49743443192.168.2.6142.250.185.174
                                                      Oct 2, 2024 18:57:07.163981915 CEST44349743142.250.185.174192.168.2.6
                                                      Oct 2, 2024 18:57:07.164374113 CEST44349743142.250.185.174192.168.2.6
                                                      Oct 2, 2024 18:57:07.164442062 CEST49743443192.168.2.6142.250.185.174
                                                      Oct 2, 2024 18:57:07.165087938 CEST44349743142.250.185.174192.168.2.6
                                                      Oct 2, 2024 18:57:07.165148020 CEST49743443192.168.2.6142.250.185.174
                                                      Oct 2, 2024 18:57:07.166369915 CEST49743443192.168.2.6142.250.185.174
                                                      Oct 2, 2024 18:57:07.166429996 CEST44349743142.250.185.174192.168.2.6
                                                      Oct 2, 2024 18:57:07.166729927 CEST49743443192.168.2.6142.250.185.174
                                                      Oct 2, 2024 18:57:07.166737080 CEST44349743142.250.185.174192.168.2.6
                                                      Oct 2, 2024 18:57:07.214845896 CEST49743443192.168.2.6142.250.185.174
                                                      Oct 2, 2024 18:57:07.487000942 CEST44349743142.250.185.174192.168.2.6
                                                      Oct 2, 2024 18:57:07.487046957 CEST44349743142.250.185.174192.168.2.6
                                                      Oct 2, 2024 18:57:07.487107992 CEST49743443192.168.2.6142.250.185.174
                                                      Oct 2, 2024 18:57:07.487127066 CEST44349743142.250.185.174192.168.2.6
                                                      Oct 2, 2024 18:57:07.487165928 CEST44349743142.250.185.174192.168.2.6
                                                      Oct 2, 2024 18:57:07.487165928 CEST49743443192.168.2.6142.250.185.174
                                                      Oct 2, 2024 18:57:07.487175941 CEST44349743142.250.185.174192.168.2.6
                                                      Oct 2, 2024 18:57:07.487220049 CEST49743443192.168.2.6142.250.185.174
                                                      Oct 2, 2024 18:57:07.493171930 CEST44349743142.250.185.174192.168.2.6
                                                      Oct 2, 2024 18:57:07.493226051 CEST49743443192.168.2.6142.250.185.174
                                                      Oct 2, 2024 18:57:07.499146938 CEST44349743142.250.185.174192.168.2.6
                                                      Oct 2, 2024 18:57:07.499203920 CEST49743443192.168.2.6142.250.185.174
                                                      Oct 2, 2024 18:57:07.499273062 CEST44349743142.250.185.174192.168.2.6
                                                      Oct 2, 2024 18:57:07.499317884 CEST49743443192.168.2.6142.250.185.174
                                                      Oct 2, 2024 18:57:07.505582094 CEST44349743142.250.185.174192.168.2.6
                                                      Oct 2, 2024 18:57:07.505665064 CEST49743443192.168.2.6142.250.185.174
                                                      Oct 2, 2024 18:57:07.526556015 CEST44349743142.250.185.174192.168.2.6
                                                      Oct 2, 2024 18:57:07.526590109 CEST44349743142.250.185.174192.168.2.6
                                                      Oct 2, 2024 18:57:07.526654959 CEST49743443192.168.2.6142.250.185.174
                                                      Oct 2, 2024 18:57:07.526663065 CEST44349743142.250.185.174192.168.2.6
                                                      Oct 2, 2024 18:57:07.526710033 CEST49743443192.168.2.6142.250.185.174
                                                      Oct 2, 2024 18:57:07.535017014 CEST49746443192.168.2.6142.250.181.238
                                                      Oct 2, 2024 18:57:07.535053968 CEST44349746142.250.181.238192.168.2.6
                                                      Oct 2, 2024 18:57:07.535114050 CEST49746443192.168.2.6142.250.181.238
                                                      Oct 2, 2024 18:57:07.535664082 CEST49746443192.168.2.6142.250.181.238
                                                      Oct 2, 2024 18:57:07.535672903 CEST44349746142.250.181.238192.168.2.6
                                                      Oct 2, 2024 18:57:07.577445030 CEST44349743142.250.185.174192.168.2.6
                                                      Oct 2, 2024 18:57:07.577485085 CEST44349743142.250.185.174192.168.2.6
                                                      Oct 2, 2024 18:57:07.577502012 CEST44349743142.250.185.174192.168.2.6
                                                      Oct 2, 2024 18:57:07.577521086 CEST49743443192.168.2.6142.250.185.174
                                                      Oct 2, 2024 18:57:07.577538967 CEST44349743142.250.185.174192.168.2.6
                                                      Oct 2, 2024 18:57:07.577553034 CEST49743443192.168.2.6142.250.185.174
                                                      Oct 2, 2024 18:57:07.582525015 CEST44349743142.250.185.174192.168.2.6
                                                      Oct 2, 2024 18:57:07.582559109 CEST44349743142.250.185.174192.168.2.6
                                                      Oct 2, 2024 18:57:07.582601070 CEST49743443192.168.2.6142.250.185.174
                                                      Oct 2, 2024 18:57:07.582612038 CEST44349743142.250.185.174192.168.2.6
                                                      Oct 2, 2024 18:57:07.582663059 CEST49743443192.168.2.6142.250.185.174
                                                      Oct 2, 2024 18:57:07.588896990 CEST44349743142.250.185.174192.168.2.6
                                                      Oct 2, 2024 18:57:07.588985920 CEST49743443192.168.2.6142.250.185.174
                                                      Oct 2, 2024 18:57:07.595263958 CEST44349743142.250.185.174192.168.2.6
                                                      Oct 2, 2024 18:57:07.595326900 CEST49743443192.168.2.6142.250.185.174
                                                      Oct 2, 2024 18:57:07.595357895 CEST44349743142.250.185.174192.168.2.6
                                                      Oct 2, 2024 18:57:07.601648092 CEST44349743142.250.185.174192.168.2.6
                                                      Oct 2, 2024 18:57:07.601728916 CEST49743443192.168.2.6142.250.185.174
                                                      Oct 2, 2024 18:57:07.601737976 CEST44349743142.250.185.174192.168.2.6
                                                      Oct 2, 2024 18:57:07.605220079 CEST49748443192.168.2.6142.250.181.238
                                                      Oct 2, 2024 18:57:07.605258942 CEST44349748142.250.181.238192.168.2.6
                                                      Oct 2, 2024 18:57:07.605341911 CEST49748443192.168.2.6142.250.181.238
                                                      Oct 2, 2024 18:57:07.605693102 CEST49748443192.168.2.6142.250.181.238
                                                      Oct 2, 2024 18:57:07.605712891 CEST44349748142.250.181.238192.168.2.6
                                                      Oct 2, 2024 18:57:07.608697891 CEST44349743142.250.185.174192.168.2.6
                                                      Oct 2, 2024 18:57:07.608769894 CEST49743443192.168.2.6142.250.185.174
                                                      Oct 2, 2024 18:57:07.608777046 CEST44349743142.250.185.174192.168.2.6
                                                      Oct 2, 2024 18:57:07.608810902 CEST44349743142.250.185.174192.168.2.6
                                                      Oct 2, 2024 18:57:07.608875990 CEST49743443192.168.2.6142.250.185.174
                                                      Oct 2, 2024 18:57:07.608899117 CEST49743443192.168.2.6142.250.185.174
                                                      Oct 2, 2024 18:57:07.608911037 CEST44349743142.250.185.174192.168.2.6
                                                      Oct 2, 2024 18:57:08.354252100 CEST44349746142.250.181.238192.168.2.6
                                                      Oct 2, 2024 18:57:08.354403019 CEST49746443192.168.2.6142.250.181.238
                                                      Oct 2, 2024 18:57:08.354422092 CEST44349746142.250.181.238192.168.2.6
                                                      Oct 2, 2024 18:57:08.354617119 CEST44349748142.250.181.238192.168.2.6
                                                      Oct 2, 2024 18:57:08.354759932 CEST44349746142.250.181.238192.168.2.6
                                                      Oct 2, 2024 18:57:08.354810953 CEST49746443192.168.2.6142.250.181.238
                                                      Oct 2, 2024 18:57:08.354940891 CEST49748443192.168.2.6142.250.181.238
                                                      Oct 2, 2024 18:57:08.354949951 CEST44349748142.250.181.238192.168.2.6
                                                      Oct 2, 2024 18:57:08.355297089 CEST44349748142.250.181.238192.168.2.6
                                                      Oct 2, 2024 18:57:08.355350018 CEST49748443192.168.2.6142.250.181.238
                                                      Oct 2, 2024 18:57:08.355458021 CEST44349746142.250.181.238192.168.2.6
                                                      Oct 2, 2024 18:57:08.355513096 CEST49746443192.168.2.6142.250.181.238
                                                      Oct 2, 2024 18:57:08.356004000 CEST44349748142.250.181.238192.168.2.6
                                                      Oct 2, 2024 18:57:08.356123924 CEST49748443192.168.2.6142.250.181.238
                                                      Oct 2, 2024 18:57:08.358952045 CEST49748443192.168.2.6142.250.181.238
                                                      Oct 2, 2024 18:57:08.359016895 CEST44349748142.250.181.238192.168.2.6
                                                      Oct 2, 2024 18:57:08.359172106 CEST49746443192.168.2.6142.250.181.238
                                                      Oct 2, 2024 18:57:08.359328985 CEST44349746142.250.181.238192.168.2.6
                                                      Oct 2, 2024 18:57:08.359637022 CEST49748443192.168.2.6142.250.181.238
                                                      Oct 2, 2024 18:57:08.359644890 CEST44349748142.250.181.238192.168.2.6
                                                      Oct 2, 2024 18:57:08.359841108 CEST49746443192.168.2.6142.250.181.238
                                                      Oct 2, 2024 18:57:08.359853029 CEST44349746142.250.181.238192.168.2.6
                                                      Oct 2, 2024 18:57:08.403552055 CEST49746443192.168.2.6142.250.181.238
                                                      Oct 2, 2024 18:57:08.403565884 CEST49748443192.168.2.6142.250.181.238
                                                      Oct 2, 2024 18:57:08.659970045 CEST44349746142.250.181.238192.168.2.6
                                                      Oct 2, 2024 18:57:08.660413980 CEST44349746142.250.181.238192.168.2.6
                                                      Oct 2, 2024 18:57:08.660470963 CEST49746443192.168.2.6142.250.181.238
                                                      Oct 2, 2024 18:57:08.660939932 CEST49746443192.168.2.6142.250.181.238
                                                      Oct 2, 2024 18:57:08.660957098 CEST44349746142.250.181.238192.168.2.6
                                                      Oct 2, 2024 18:57:08.660967112 CEST49746443192.168.2.6142.250.181.238
                                                      Oct 2, 2024 18:57:08.661056042 CEST49746443192.168.2.6142.250.181.238
                                                      Oct 2, 2024 18:57:08.661379099 CEST44349748142.250.181.238192.168.2.6
                                                      Oct 2, 2024 18:57:08.661640882 CEST44349748142.250.181.238192.168.2.6
                                                      Oct 2, 2024 18:57:08.661765099 CEST49748443192.168.2.6142.250.181.238
                                                      Oct 2, 2024 18:57:08.662167072 CEST49751443192.168.2.6142.250.181.238
                                                      Oct 2, 2024 18:57:08.662201881 CEST44349751142.250.181.238192.168.2.6
                                                      Oct 2, 2024 18:57:08.662261963 CEST49751443192.168.2.6142.250.181.238
                                                      Oct 2, 2024 18:57:08.662929058 CEST49748443192.168.2.6142.250.181.238
                                                      Oct 2, 2024 18:57:08.662938118 CEST44349748142.250.181.238192.168.2.6
                                                      Oct 2, 2024 18:57:08.663657904 CEST49751443192.168.2.6142.250.181.238
                                                      Oct 2, 2024 18:57:08.663672924 CEST44349751142.250.181.238192.168.2.6
                                                      Oct 2, 2024 18:57:08.664499044 CEST49752443192.168.2.6142.250.181.238
                                                      Oct 2, 2024 18:57:08.664542913 CEST44349752142.250.181.238192.168.2.6
                                                      Oct 2, 2024 18:57:08.664634943 CEST49752443192.168.2.6142.250.181.238
                                                      Oct 2, 2024 18:57:08.665287971 CEST49752443192.168.2.6142.250.181.238
                                                      Oct 2, 2024 18:57:08.665302992 CEST44349752142.250.181.238192.168.2.6
                                                      Oct 2, 2024 18:57:09.326435089 CEST44349751142.250.181.238192.168.2.6
                                                      Oct 2, 2024 18:57:09.326867104 CEST49751443192.168.2.6142.250.181.238
                                                      Oct 2, 2024 18:57:09.326878071 CEST44349751142.250.181.238192.168.2.6
                                                      Oct 2, 2024 18:57:09.327399969 CEST44349751142.250.181.238192.168.2.6
                                                      Oct 2, 2024 18:57:09.327460051 CEST49751443192.168.2.6142.250.181.238
                                                      Oct 2, 2024 18:57:09.328392982 CEST44349751142.250.181.238192.168.2.6
                                                      Oct 2, 2024 18:57:09.328448057 CEST49751443192.168.2.6142.250.181.238
                                                      Oct 2, 2024 18:57:09.328603983 CEST49751443192.168.2.6142.250.181.238
                                                      Oct 2, 2024 18:57:09.328684092 CEST44349751142.250.181.238192.168.2.6
                                                      Oct 2, 2024 18:57:09.328780890 CEST49751443192.168.2.6142.250.181.238
                                                      Oct 2, 2024 18:57:09.328788042 CEST44349751142.250.181.238192.168.2.6
                                                      Oct 2, 2024 18:57:09.328804970 CEST49751443192.168.2.6142.250.181.238
                                                      Oct 2, 2024 18:57:09.335983038 CEST44349752142.250.181.238192.168.2.6
                                                      Oct 2, 2024 18:57:09.336193085 CEST49752443192.168.2.6142.250.181.238
                                                      Oct 2, 2024 18:57:09.336241007 CEST44349752142.250.181.238192.168.2.6
                                                      Oct 2, 2024 18:57:09.336565018 CEST44349752142.250.181.238192.168.2.6
                                                      Oct 2, 2024 18:57:09.336633921 CEST49752443192.168.2.6142.250.181.238
                                                      Oct 2, 2024 18:57:09.337157965 CEST44349752142.250.181.238192.168.2.6
                                                      Oct 2, 2024 18:57:09.337225914 CEST49752443192.168.2.6142.250.181.238
                                                      Oct 2, 2024 18:57:09.337356091 CEST49752443192.168.2.6142.250.181.238
                                                      Oct 2, 2024 18:57:09.337419033 CEST44349752142.250.181.238192.168.2.6
                                                      Oct 2, 2024 18:57:09.337600946 CEST49752443192.168.2.6142.250.181.238
                                                      Oct 2, 2024 18:57:09.337625027 CEST44349752142.250.181.238192.168.2.6
                                                      Oct 2, 2024 18:57:09.337671041 CEST49752443192.168.2.6142.250.181.238
                                                      Oct 2, 2024 18:57:09.371762037 CEST49751443192.168.2.6142.250.181.238
                                                      Oct 2, 2024 18:57:09.371769905 CEST44349751142.250.181.238192.168.2.6
                                                      Oct 2, 2024 18:57:09.383402109 CEST44349752142.250.181.238192.168.2.6
                                                      Oct 2, 2024 18:57:09.387350082 CEST49752443192.168.2.6142.250.181.238
                                                      Oct 2, 2024 18:57:09.545598984 CEST44349751142.250.181.238192.168.2.6
                                                      Oct 2, 2024 18:57:09.545741081 CEST44349751142.250.181.238192.168.2.6
                                                      Oct 2, 2024 18:57:09.545787096 CEST49751443192.168.2.6142.250.181.238
                                                      Oct 2, 2024 18:57:09.555411100 CEST49751443192.168.2.6142.250.181.238
                                                      Oct 2, 2024 18:57:09.555438995 CEST44349751142.250.181.238192.168.2.6
                                                      Oct 2, 2024 18:57:09.559053898 CEST44349752142.250.181.238192.168.2.6
                                                      Oct 2, 2024 18:57:09.560266972 CEST44349752142.250.181.238192.168.2.6
                                                      Oct 2, 2024 18:57:09.560328007 CEST49752443192.168.2.6142.250.181.238
                                                      Oct 2, 2024 18:57:09.568738937 CEST49752443192.168.2.6142.250.181.238
                                                      Oct 2, 2024 18:57:09.568753958 CEST44349752142.250.181.238192.168.2.6
                                                      Oct 2, 2024 18:57:09.949330091 CEST49722443192.168.2.6142.250.184.228
                                                      Oct 2, 2024 18:57:09.995405912 CEST44349722142.250.184.228192.168.2.6
                                                      Oct 2, 2024 18:57:10.216490984 CEST44349722142.250.184.228192.168.2.6
                                                      Oct 2, 2024 18:57:10.216535091 CEST44349722142.250.184.228192.168.2.6
                                                      Oct 2, 2024 18:57:10.216573000 CEST44349722142.250.184.228192.168.2.6
                                                      Oct 2, 2024 18:57:10.216612101 CEST49722443192.168.2.6142.250.184.228
                                                      Oct 2, 2024 18:57:10.216646910 CEST44349722142.250.184.228192.168.2.6
                                                      Oct 2, 2024 18:57:10.216664076 CEST49722443192.168.2.6142.250.184.228
                                                      Oct 2, 2024 18:57:10.217137098 CEST44349722142.250.184.228192.168.2.6
                                                      Oct 2, 2024 18:57:10.220376015 CEST49722443192.168.2.6142.250.184.228
                                                      Oct 2, 2024 18:57:10.226744890 CEST49722443192.168.2.6142.250.184.228
                                                      Oct 2, 2024 18:57:10.226767063 CEST44349722142.250.184.228192.168.2.6
                                                      Oct 2, 2024 18:57:10.330883980 CEST49756443192.168.2.64.245.163.56
                                                      Oct 2, 2024 18:57:10.330936909 CEST443497564.245.163.56192.168.2.6
                                                      Oct 2, 2024 18:57:10.331293106 CEST49756443192.168.2.64.245.163.56
                                                      Oct 2, 2024 18:57:10.332561970 CEST49756443192.168.2.64.245.163.56
                                                      Oct 2, 2024 18:57:10.332577944 CEST443497564.245.163.56192.168.2.6
                                                      Oct 2, 2024 18:57:11.295411110 CEST443497564.245.163.56192.168.2.6
                                                      Oct 2, 2024 18:57:11.295507908 CEST49756443192.168.2.64.245.163.56
                                                      Oct 2, 2024 18:57:11.403446913 CEST49756443192.168.2.64.245.163.56
                                                      Oct 2, 2024 18:57:11.403465986 CEST443497564.245.163.56192.168.2.6
                                                      Oct 2, 2024 18:57:11.403927088 CEST443497564.245.163.56192.168.2.6
                                                      Oct 2, 2024 18:57:11.456110001 CEST49756443192.168.2.64.245.163.56
                                                      Oct 2, 2024 18:57:11.569665909 CEST49756443192.168.2.64.245.163.56
                                                      Oct 2, 2024 18:57:11.611423969 CEST443497564.245.163.56192.168.2.6
                                                      Oct 2, 2024 18:57:11.741457939 CEST49705443192.168.2.6173.222.162.64
                                                      Oct 2, 2024 18:57:11.741564989 CEST49705443192.168.2.6173.222.162.64
                                                      Oct 2, 2024 18:57:11.742243052 CEST49761443192.168.2.6173.222.162.64
                                                      Oct 2, 2024 18:57:11.742284060 CEST44349761173.222.162.64192.168.2.6
                                                      Oct 2, 2024 18:57:11.742337942 CEST49761443192.168.2.6173.222.162.64
                                                      Oct 2, 2024 18:57:11.742687941 CEST49761443192.168.2.6173.222.162.64
                                                      Oct 2, 2024 18:57:11.742703915 CEST44349761173.222.162.64192.168.2.6
                                                      Oct 2, 2024 18:57:11.746321917 CEST44349705173.222.162.64192.168.2.6
                                                      Oct 2, 2024 18:57:11.746382952 CEST44349705173.222.162.64192.168.2.6
                                                      Oct 2, 2024 18:57:12.230725050 CEST443497564.245.163.56192.168.2.6
                                                      Oct 2, 2024 18:57:12.230752945 CEST443497564.245.163.56192.168.2.6
                                                      Oct 2, 2024 18:57:12.230763912 CEST443497564.245.163.56192.168.2.6
                                                      Oct 2, 2024 18:57:12.230772972 CEST443497564.245.163.56192.168.2.6
                                                      Oct 2, 2024 18:57:12.230789900 CEST443497564.245.163.56192.168.2.6
                                                      Oct 2, 2024 18:57:12.230798960 CEST443497564.245.163.56192.168.2.6
                                                      Oct 2, 2024 18:57:12.230848074 CEST49756443192.168.2.64.245.163.56
                                                      Oct 2, 2024 18:57:12.230873108 CEST443497564.245.163.56192.168.2.6
                                                      Oct 2, 2024 18:57:12.230887890 CEST443497564.245.163.56192.168.2.6
                                                      Oct 2, 2024 18:57:12.230921030 CEST49756443192.168.2.64.245.163.56
                                                      Oct 2, 2024 18:57:12.230927944 CEST443497564.245.163.56192.168.2.6
                                                      Oct 2, 2024 18:57:12.230957031 CEST49756443192.168.2.64.245.163.56
                                                      Oct 2, 2024 18:57:12.230983019 CEST443497564.245.163.56192.168.2.6
                                                      Oct 2, 2024 18:57:12.230995893 CEST49756443192.168.2.64.245.163.56
                                                      Oct 2, 2024 18:57:12.231050014 CEST49756443192.168.2.64.245.163.56
                                                      Oct 2, 2024 18:57:12.246300936 CEST49756443192.168.2.64.245.163.56
                                                      Oct 2, 2024 18:57:12.246318102 CEST443497564.245.163.56192.168.2.6
                                                      Oct 2, 2024 18:57:12.246351957 CEST49756443192.168.2.64.245.163.56
                                                      Oct 2, 2024 18:57:12.246366024 CEST443497564.245.163.56192.168.2.6
                                                      Oct 2, 2024 18:57:12.351068974 CEST44349761173.222.162.64192.168.2.6
                                                      Oct 2, 2024 18:57:12.351142883 CEST49761443192.168.2.6173.222.162.64
                                                      Oct 2, 2024 18:57:15.534228086 CEST49764443192.168.2.6142.250.181.238
                                                      Oct 2, 2024 18:57:15.534334898 CEST44349764142.250.181.238192.168.2.6
                                                      Oct 2, 2024 18:57:15.534425020 CEST49764443192.168.2.6142.250.181.238
                                                      Oct 2, 2024 18:57:15.535276890 CEST49764443192.168.2.6142.250.181.238
                                                      Oct 2, 2024 18:57:15.535305977 CEST44349764142.250.181.238192.168.2.6
                                                      Oct 2, 2024 18:57:16.288090944 CEST44349764142.250.181.238192.168.2.6
                                                      Oct 2, 2024 18:57:16.288347960 CEST49764443192.168.2.6142.250.181.238
                                                      Oct 2, 2024 18:57:16.288367987 CEST44349764142.250.181.238192.168.2.6
                                                      Oct 2, 2024 18:57:16.288746119 CEST44349764142.250.181.238192.168.2.6
                                                      Oct 2, 2024 18:57:16.289066076 CEST49764443192.168.2.6142.250.181.238
                                                      Oct 2, 2024 18:57:16.289115906 CEST44349764142.250.181.238192.168.2.6
                                                      Oct 2, 2024 18:57:16.289401054 CEST49764443192.168.2.6142.250.181.238
                                                      Oct 2, 2024 18:57:16.289427042 CEST49764443192.168.2.6142.250.181.238
                                                      Oct 2, 2024 18:57:16.289433002 CEST44349764142.250.181.238192.168.2.6
                                                      Oct 2, 2024 18:57:16.620279074 CEST44349764142.250.181.238192.168.2.6
                                                      Oct 2, 2024 18:57:16.623493910 CEST44349764142.250.181.238192.168.2.6
                                                      Oct 2, 2024 18:57:16.623550892 CEST49764443192.168.2.6142.250.181.238
                                                      Oct 2, 2024 18:57:16.624696970 CEST49764443192.168.2.6142.250.181.238
                                                      Oct 2, 2024 18:57:16.624730110 CEST44349764142.250.181.238192.168.2.6
                                                      Oct 2, 2024 18:57:18.243266106 CEST49765443192.168.2.640.115.3.253
                                                      Oct 2, 2024 18:57:18.243318081 CEST4434976540.115.3.253192.168.2.6
                                                      Oct 2, 2024 18:57:18.243405104 CEST49765443192.168.2.640.115.3.253
                                                      Oct 2, 2024 18:57:18.244124889 CEST49765443192.168.2.640.115.3.253
                                                      Oct 2, 2024 18:57:18.244141102 CEST4434976540.115.3.253192.168.2.6
                                                      Oct 2, 2024 18:57:19.067307949 CEST4434976540.115.3.253192.168.2.6
                                                      Oct 2, 2024 18:57:19.067446947 CEST49765443192.168.2.640.115.3.253
                                                      Oct 2, 2024 18:57:19.073662043 CEST49765443192.168.2.640.115.3.253
                                                      Oct 2, 2024 18:57:19.073689938 CEST4434976540.115.3.253192.168.2.6
                                                      Oct 2, 2024 18:57:19.073976040 CEST4434976540.115.3.253192.168.2.6
                                                      Oct 2, 2024 18:57:19.076076984 CEST49765443192.168.2.640.115.3.253
                                                      Oct 2, 2024 18:57:19.076138973 CEST49765443192.168.2.640.115.3.253
                                                      Oct 2, 2024 18:57:19.076143980 CEST4434976540.115.3.253192.168.2.6
                                                      Oct 2, 2024 18:57:19.076293945 CEST49765443192.168.2.640.115.3.253
                                                      Oct 2, 2024 18:57:19.119410038 CEST4434976540.115.3.253192.168.2.6
                                                      Oct 2, 2024 18:57:19.258233070 CEST4434976540.115.3.253192.168.2.6
                                                      Oct 2, 2024 18:57:19.258768082 CEST4434976540.115.3.253192.168.2.6
                                                      Oct 2, 2024 18:57:19.259346008 CEST49765443192.168.2.640.115.3.253
                                                      Oct 2, 2024 18:57:19.259951115 CEST49765443192.168.2.640.115.3.253
                                                      Oct 2, 2024 18:57:19.259951115 CEST49765443192.168.2.640.115.3.253
                                                      Oct 2, 2024 18:57:19.259970903 CEST4434976540.115.3.253192.168.2.6
                                                      Oct 2, 2024 18:57:31.500835896 CEST44349761173.222.162.64192.168.2.6
                                                      Oct 2, 2024 18:57:31.500947952 CEST49761443192.168.2.6173.222.162.64
                                                      Oct 2, 2024 18:57:37.791477919 CEST49766443192.168.2.6142.250.181.238
                                                      Oct 2, 2024 18:57:37.791522026 CEST44349766142.250.181.238192.168.2.6
                                                      Oct 2, 2024 18:57:37.791588068 CEST49766443192.168.2.6142.250.181.238
                                                      Oct 2, 2024 18:57:37.792625904 CEST49766443192.168.2.6142.250.181.238
                                                      Oct 2, 2024 18:57:37.792640924 CEST44349766142.250.181.238192.168.2.6
                                                      Oct 2, 2024 18:57:38.281366110 CEST49767443192.168.2.6142.250.181.238
                                                      Oct 2, 2024 18:57:38.281420946 CEST44349767142.250.181.238192.168.2.6
                                                      Oct 2, 2024 18:57:38.281519890 CEST49767443192.168.2.6142.250.181.238
                                                      Oct 2, 2024 18:57:38.281964064 CEST49767443192.168.2.6142.250.181.238
                                                      Oct 2, 2024 18:57:38.281979084 CEST44349767142.250.181.238192.168.2.6
                                                      Oct 2, 2024 18:57:38.511145115 CEST44349766142.250.181.238192.168.2.6
                                                      Oct 2, 2024 18:57:38.511538982 CEST49766443192.168.2.6142.250.181.238
                                                      Oct 2, 2024 18:57:38.511564016 CEST44349766142.250.181.238192.168.2.6
                                                      Oct 2, 2024 18:57:38.511905909 CEST44349766142.250.181.238192.168.2.6
                                                      Oct 2, 2024 18:57:38.512288094 CEST49766443192.168.2.6142.250.181.238
                                                      Oct 2, 2024 18:57:38.512346029 CEST44349766142.250.181.238192.168.2.6
                                                      Oct 2, 2024 18:57:38.512567997 CEST49766443192.168.2.6142.250.181.238
                                                      Oct 2, 2024 18:57:38.512592077 CEST49766443192.168.2.6142.250.181.238
                                                      Oct 2, 2024 18:57:38.512600899 CEST44349766142.250.181.238192.168.2.6
                                                      Oct 2, 2024 18:57:38.734039068 CEST49768443192.168.2.6142.250.181.238
                                                      Oct 2, 2024 18:57:38.734078884 CEST44349768142.250.181.238192.168.2.6
                                                      Oct 2, 2024 18:57:38.734181881 CEST49768443192.168.2.6142.250.181.238
                                                      Oct 2, 2024 18:57:38.734730005 CEST49768443192.168.2.6142.250.181.238
                                                      Oct 2, 2024 18:57:38.734745026 CEST44349768142.250.181.238192.168.2.6
                                                      Oct 2, 2024 18:57:38.740394115 CEST44349766142.250.181.238192.168.2.6
                                                      Oct 2, 2024 18:57:38.740852118 CEST44349766142.250.181.238192.168.2.6
                                                      Oct 2, 2024 18:57:38.741022110 CEST49766443192.168.2.6142.250.181.238
                                                      Oct 2, 2024 18:57:38.741153002 CEST49766443192.168.2.6142.250.181.238
                                                      Oct 2, 2024 18:57:38.741167068 CEST44349766142.250.181.238192.168.2.6
                                                      Oct 2, 2024 18:57:38.940398932 CEST44349767142.250.181.238192.168.2.6
                                                      Oct 2, 2024 18:57:38.940893888 CEST49767443192.168.2.6142.250.181.238
                                                      Oct 2, 2024 18:57:38.940969944 CEST44349767142.250.181.238192.168.2.6
                                                      Oct 2, 2024 18:57:38.941355944 CEST44349767142.250.181.238192.168.2.6
                                                      Oct 2, 2024 18:57:38.941781044 CEST49767443192.168.2.6142.250.181.238
                                                      Oct 2, 2024 18:57:38.941854000 CEST44349767142.250.181.238192.168.2.6
                                                      Oct 2, 2024 18:57:38.941970110 CEST49767443192.168.2.6142.250.181.238
                                                      Oct 2, 2024 18:57:38.942022085 CEST49767443192.168.2.6142.250.181.238
                                                      Oct 2, 2024 18:57:38.942035913 CEST44349767142.250.181.238192.168.2.6
                                                      Oct 2, 2024 18:57:39.867053032 CEST49769443192.168.2.640.115.3.253
                                                      Oct 2, 2024 18:57:39.867158890 CEST4434976940.115.3.253192.168.2.6
                                                      Oct 2, 2024 18:57:39.867304087 CEST49769443192.168.2.640.115.3.253
                                                      Oct 2, 2024 18:57:39.867909908 CEST49769443192.168.2.640.115.3.253
                                                      Oct 2, 2024 18:57:39.867928982 CEST4434976940.115.3.253192.168.2.6
                                                      Oct 2, 2024 18:57:40.238071918 CEST44349767142.250.181.238192.168.2.6
                                                      Oct 2, 2024 18:57:40.238204956 CEST44349767142.250.181.238192.168.2.6
                                                      Oct 2, 2024 18:57:40.238282919 CEST49767443192.168.2.6142.250.181.238
                                                      Oct 2, 2024 18:57:40.241113901 CEST44349768142.250.181.238192.168.2.6
                                                      Oct 2, 2024 18:57:40.273123026 CEST49768443192.168.2.6142.250.181.238
                                                      Oct 2, 2024 18:57:40.273140907 CEST44349768142.250.181.238192.168.2.6
                                                      Oct 2, 2024 18:57:40.273175955 CEST49767443192.168.2.6142.250.181.238
                                                      Oct 2, 2024 18:57:40.273205042 CEST44349767142.250.181.238192.168.2.6
                                                      Oct 2, 2024 18:57:40.273646116 CEST44349768142.250.181.238192.168.2.6
                                                      Oct 2, 2024 18:57:40.274693012 CEST49768443192.168.2.6142.250.181.238
                                                      Oct 2, 2024 18:57:40.274776936 CEST44349768142.250.181.238192.168.2.6
                                                      Oct 2, 2024 18:57:40.275805950 CEST49768443192.168.2.6142.250.181.238
                                                      Oct 2, 2024 18:57:40.275829077 CEST49768443192.168.2.6142.250.181.238
                                                      Oct 2, 2024 18:57:40.275851011 CEST44349768142.250.181.238192.168.2.6
                                                      Oct 2, 2024 18:57:40.497893095 CEST44349768142.250.181.238192.168.2.6
                                                      Oct 2, 2024 18:57:40.498020887 CEST44349768142.250.181.238192.168.2.6
                                                      Oct 2, 2024 18:57:40.498078108 CEST49768443192.168.2.6142.250.181.238
                                                      Oct 2, 2024 18:57:40.498536110 CEST49768443192.168.2.6142.250.181.238
                                                      Oct 2, 2024 18:57:40.498555899 CEST44349768142.250.181.238192.168.2.6
                                                      Oct 2, 2024 18:57:41.131613016 CEST4434976940.115.3.253192.168.2.6
                                                      Oct 2, 2024 18:57:41.131778002 CEST49769443192.168.2.640.115.3.253
                                                      Oct 2, 2024 18:57:41.133589983 CEST49769443192.168.2.640.115.3.253
                                                      Oct 2, 2024 18:57:41.133626938 CEST4434976940.115.3.253192.168.2.6
                                                      Oct 2, 2024 18:57:41.133892059 CEST4434976940.115.3.253192.168.2.6
                                                      Oct 2, 2024 18:57:41.135761023 CEST49769443192.168.2.640.115.3.253
                                                      Oct 2, 2024 18:57:41.135834932 CEST49769443192.168.2.640.115.3.253
                                                      Oct 2, 2024 18:57:41.135848999 CEST4434976940.115.3.253192.168.2.6
                                                      Oct 2, 2024 18:57:41.135962963 CEST49769443192.168.2.640.115.3.253
                                                      Oct 2, 2024 18:57:41.183398008 CEST4434976940.115.3.253192.168.2.6
                                                      Oct 2, 2024 18:57:41.306586027 CEST4434976940.115.3.253192.168.2.6
                                                      Oct 2, 2024 18:57:41.306659937 CEST4434976940.115.3.253192.168.2.6
                                                      Oct 2, 2024 18:57:41.306922913 CEST49769443192.168.2.640.115.3.253
                                                      Oct 2, 2024 18:57:41.307101011 CEST49769443192.168.2.640.115.3.253
                                                      Oct 2, 2024 18:57:41.307121992 CEST4434976940.115.3.253192.168.2.6
                                                      Oct 2, 2024 18:57:48.784313917 CEST49770443192.168.2.64.245.163.56
                                                      Oct 2, 2024 18:57:48.784420967 CEST443497704.245.163.56192.168.2.6
                                                      Oct 2, 2024 18:57:48.784533978 CEST49770443192.168.2.64.245.163.56
                                                      Oct 2, 2024 18:57:48.784881115 CEST49770443192.168.2.64.245.163.56
                                                      Oct 2, 2024 18:57:48.784917116 CEST443497704.245.163.56192.168.2.6
                                                      Oct 2, 2024 18:57:49.556164026 CEST443497704.245.163.56192.168.2.6
                                                      Oct 2, 2024 18:57:49.556315899 CEST49770443192.168.2.64.245.163.56
                                                      Oct 2, 2024 18:57:49.558588028 CEST49770443192.168.2.64.245.163.56
                                                      Oct 2, 2024 18:57:49.558619022 CEST443497704.245.163.56192.168.2.6
                                                      Oct 2, 2024 18:57:49.558881998 CEST443497704.245.163.56192.168.2.6
                                                      Oct 2, 2024 18:57:49.572979927 CEST49770443192.168.2.64.245.163.56
                                                      Oct 2, 2024 18:57:49.615437984 CEST443497704.245.163.56192.168.2.6
                                                      Oct 2, 2024 18:57:49.879556894 CEST443497704.245.163.56192.168.2.6
                                                      Oct 2, 2024 18:57:49.879652023 CEST443497704.245.163.56192.168.2.6
                                                      Oct 2, 2024 18:57:49.879695892 CEST443497704.245.163.56192.168.2.6
                                                      Oct 2, 2024 18:57:49.879729986 CEST49770443192.168.2.64.245.163.56
                                                      Oct 2, 2024 18:57:49.879764080 CEST443497704.245.163.56192.168.2.6
                                                      Oct 2, 2024 18:57:49.879779100 CEST49770443192.168.2.64.245.163.56
                                                      Oct 2, 2024 18:57:49.879812002 CEST49770443192.168.2.64.245.163.56
                                                      Oct 2, 2024 18:57:49.879924059 CEST443497704.245.163.56192.168.2.6
                                                      Oct 2, 2024 18:57:49.879997015 CEST49770443192.168.2.64.245.163.56
                                                      Oct 2, 2024 18:57:49.880023956 CEST443497704.245.163.56192.168.2.6
                                                      Oct 2, 2024 18:57:49.880057096 CEST443497704.245.163.56192.168.2.6
                                                      Oct 2, 2024 18:57:49.880114079 CEST49770443192.168.2.64.245.163.56
                                                      Oct 2, 2024 18:57:49.880176067 CEST443497704.245.163.56192.168.2.6
                                                      Oct 2, 2024 18:57:49.880232096 CEST49770443192.168.2.64.245.163.56
                                                      Oct 2, 2024 18:57:49.900451899 CEST49770443192.168.2.64.245.163.56
                                                      Oct 2, 2024 18:57:49.900494099 CEST443497704.245.163.56192.168.2.6
                                                      Oct 2, 2024 18:57:49.900510073 CEST49770443192.168.2.64.245.163.56
                                                      Oct 2, 2024 18:57:49.900516987 CEST443497704.245.163.56192.168.2.6
                                                      Oct 2, 2024 18:58:01.498621941 CEST49772443192.168.2.6142.250.184.228
                                                      Oct 2, 2024 18:58:01.498723984 CEST44349772142.250.184.228192.168.2.6
                                                      Oct 2, 2024 18:58:01.498858929 CEST49772443192.168.2.6142.250.184.228
                                                      Oct 2, 2024 18:58:01.499716043 CEST49772443192.168.2.6142.250.184.228
                                                      Oct 2, 2024 18:58:01.499759912 CEST44349772142.250.184.228192.168.2.6
                                                      Oct 2, 2024 18:58:02.130968094 CEST44349772142.250.184.228192.168.2.6
                                                      Oct 2, 2024 18:58:02.152050018 CEST49772443192.168.2.6142.250.184.228
                                                      Oct 2, 2024 18:58:02.152118921 CEST44349772142.250.184.228192.168.2.6
                                                      Oct 2, 2024 18:58:02.153024912 CEST44349772142.250.184.228192.168.2.6
                                                      Oct 2, 2024 18:58:02.153342009 CEST49772443192.168.2.6142.250.184.228
                                                      Oct 2, 2024 18:58:02.153443098 CEST44349772142.250.184.228192.168.2.6
                                                      Oct 2, 2024 18:58:02.200143099 CEST49772443192.168.2.6142.250.184.228
                                                      Oct 2, 2024 18:58:02.336643934 CEST49773443192.168.2.640.115.3.253
                                                      Oct 2, 2024 18:58:02.336687088 CEST4434977340.115.3.253192.168.2.6
                                                      Oct 2, 2024 18:58:02.336779118 CEST49773443192.168.2.640.115.3.253
                                                      Oct 2, 2024 18:58:02.337635040 CEST49773443192.168.2.640.115.3.253
                                                      Oct 2, 2024 18:58:02.337651968 CEST4434977340.115.3.253192.168.2.6
                                                      Oct 2, 2024 18:58:03.919589996 CEST4434977340.115.3.253192.168.2.6
                                                      Oct 2, 2024 18:58:03.920332909 CEST49773443192.168.2.640.115.3.253
                                                      Oct 2, 2024 18:58:03.922488928 CEST49773443192.168.2.640.115.3.253
                                                      Oct 2, 2024 18:58:03.922497988 CEST4434977340.115.3.253192.168.2.6
                                                      Oct 2, 2024 18:58:03.923253059 CEST4434977340.115.3.253192.168.2.6
                                                      Oct 2, 2024 18:58:03.925405979 CEST49773443192.168.2.640.115.3.253
                                                      Oct 2, 2024 18:58:03.925405979 CEST49773443192.168.2.640.115.3.253
                                                      Oct 2, 2024 18:58:03.925422907 CEST4434977340.115.3.253192.168.2.6
                                                      Oct 2, 2024 18:58:03.925785065 CEST49773443192.168.2.640.115.3.253
                                                      Oct 2, 2024 18:58:03.971405983 CEST4434977340.115.3.253192.168.2.6
                                                      Oct 2, 2024 18:58:04.097992897 CEST4434977340.115.3.253192.168.2.6
                                                      Oct 2, 2024 18:58:04.098200083 CEST4434977340.115.3.253192.168.2.6
                                                      Oct 2, 2024 18:58:04.098278999 CEST49773443192.168.2.640.115.3.253
                                                      Oct 2, 2024 18:58:04.098483086 CEST49773443192.168.2.640.115.3.253
                                                      Oct 2, 2024 18:58:04.098515987 CEST4434977340.115.3.253192.168.2.6
                                                      Oct 2, 2024 18:58:08.071369886 CEST49774443192.168.2.6142.250.185.142
                                                      Oct 2, 2024 18:58:08.071500063 CEST44349774142.250.185.142192.168.2.6
                                                      Oct 2, 2024 18:58:08.071744919 CEST49774443192.168.2.6142.250.185.142
                                                      Oct 2, 2024 18:58:08.071997881 CEST49774443192.168.2.6142.250.185.142
                                                      Oct 2, 2024 18:58:08.072036028 CEST44349774142.250.185.142192.168.2.6
                                                      Oct 2, 2024 18:58:08.725538015 CEST44349774142.250.185.142192.168.2.6
                                                      Oct 2, 2024 18:58:08.725982904 CEST49774443192.168.2.6142.250.185.142
                                                      Oct 2, 2024 18:58:08.726053953 CEST44349774142.250.185.142192.168.2.6
                                                      Oct 2, 2024 18:58:08.726952076 CEST44349774142.250.185.142192.168.2.6
                                                      Oct 2, 2024 18:58:08.727332115 CEST49774443192.168.2.6142.250.185.142
                                                      Oct 2, 2024 18:58:08.727446079 CEST44349774142.250.185.142192.168.2.6
                                                      Oct 2, 2024 18:58:08.727531910 CEST49774443192.168.2.6142.250.185.142
                                                      Oct 2, 2024 18:58:08.727570057 CEST49774443192.168.2.6142.250.185.142
                                                      Oct 2, 2024 18:58:08.727586985 CEST44349774142.250.185.142192.168.2.6
                                                      Oct 2, 2024 18:58:09.018927097 CEST49776443192.168.2.6142.250.185.142
                                                      Oct 2, 2024 18:58:09.018990040 CEST44349776142.250.185.142192.168.2.6
                                                      Oct 2, 2024 18:58:09.019094944 CEST49776443192.168.2.6142.250.185.142
                                                      Oct 2, 2024 18:58:09.019524097 CEST49776443192.168.2.6142.250.185.142
                                                      Oct 2, 2024 18:58:09.019563913 CEST44349776142.250.185.142192.168.2.6
                                                      Oct 2, 2024 18:58:09.041820049 CEST44349774142.250.185.142192.168.2.6
                                                      Oct 2, 2024 18:58:09.042155981 CEST44349774142.250.185.142192.168.2.6
                                                      Oct 2, 2024 18:58:09.042382956 CEST49774443192.168.2.6142.250.185.142
                                                      Oct 2, 2024 18:58:09.042639017 CEST49774443192.168.2.6142.250.185.142
                                                      Oct 2, 2024 18:58:09.042687893 CEST44349774142.250.185.142192.168.2.6
                                                      Oct 2, 2024 18:58:09.754406929 CEST44349776142.250.185.142192.168.2.6
                                                      Oct 2, 2024 18:58:09.805619955 CEST49776443192.168.2.6142.250.185.142
                                                      Oct 2, 2024 18:58:09.805659056 CEST44349776142.250.185.142192.168.2.6
                                                      Oct 2, 2024 18:58:09.806288958 CEST44349776142.250.185.142192.168.2.6
                                                      Oct 2, 2024 18:58:09.806683064 CEST49776443192.168.2.6142.250.185.142
                                                      Oct 2, 2024 18:58:09.806770086 CEST44349776142.250.185.142192.168.2.6
                                                      Oct 2, 2024 18:58:09.806955099 CEST49776443192.168.2.6142.250.185.142
                                                      Oct 2, 2024 18:58:09.806991100 CEST49776443192.168.2.6142.250.185.142
                                                      Oct 2, 2024 18:58:09.806998014 CEST44349776142.250.185.142192.168.2.6
                                                      Oct 2, 2024 18:58:10.059367895 CEST44349776142.250.185.142192.168.2.6
                                                      Oct 2, 2024 18:58:10.059541941 CEST44349776142.250.185.142192.168.2.6
                                                      Oct 2, 2024 18:58:10.059611082 CEST49776443192.168.2.6142.250.185.142
                                                      Oct 2, 2024 18:58:10.069549084 CEST49776443192.168.2.6142.250.185.142
                                                      Oct 2, 2024 18:58:10.069570065 CEST44349776142.250.185.142192.168.2.6
                                                      Oct 2, 2024 18:58:12.038762093 CEST44349772142.250.184.228192.168.2.6
                                                      Oct 2, 2024 18:58:12.038824081 CEST44349772142.250.184.228192.168.2.6
                                                      Oct 2, 2024 18:58:12.039011002 CEST49772443192.168.2.6142.250.184.228
                                                      Oct 2, 2024 18:58:25.515801907 CEST49772443192.168.2.6142.250.184.228
                                                      Oct 2, 2024 18:58:25.515897989 CEST44349772142.250.184.228192.168.2.6
                                                      Oct 2, 2024 18:58:28.322177887 CEST49779443192.168.2.640.115.3.253
                                                      Oct 2, 2024 18:58:28.322232962 CEST4434977940.115.3.253192.168.2.6
                                                      Oct 2, 2024 18:58:28.322438002 CEST49779443192.168.2.640.115.3.253
                                                      Oct 2, 2024 18:58:28.323061943 CEST49779443192.168.2.640.115.3.253
                                                      Oct 2, 2024 18:58:28.323071957 CEST4434977940.115.3.253192.168.2.6
                                                      Oct 2, 2024 18:58:29.333923101 CEST4434977940.115.3.253192.168.2.6
                                                      Oct 2, 2024 18:58:29.334054947 CEST49779443192.168.2.640.115.3.253
                                                      Oct 2, 2024 18:58:29.340117931 CEST49779443192.168.2.640.115.3.253
                                                      Oct 2, 2024 18:58:29.340132952 CEST4434977940.115.3.253192.168.2.6
                                                      Oct 2, 2024 18:58:29.340368986 CEST4434977940.115.3.253192.168.2.6
                                                      Oct 2, 2024 18:58:29.343128920 CEST49779443192.168.2.640.115.3.253
                                                      Oct 2, 2024 18:58:29.343221903 CEST49779443192.168.2.640.115.3.253
                                                      Oct 2, 2024 18:58:29.343226910 CEST4434977940.115.3.253192.168.2.6
                                                      Oct 2, 2024 18:58:29.343439102 CEST49779443192.168.2.640.115.3.253
                                                      Oct 2, 2024 18:58:29.387409925 CEST4434977940.115.3.253192.168.2.6
                                                      Oct 2, 2024 18:58:29.529499054 CEST4434977940.115.3.253192.168.2.6
                                                      Oct 2, 2024 18:58:29.530551910 CEST4434977940.115.3.253192.168.2.6
                                                      Oct 2, 2024 18:58:29.530659914 CEST49779443192.168.2.640.115.3.253
                                                      Oct 2, 2024 18:58:29.531018972 CEST49779443192.168.2.640.115.3.253
                                                      Oct 2, 2024 18:58:29.531063080 CEST4434977940.115.3.253192.168.2.6
                                                      Oct 2, 2024 18:58:29.959249020 CEST4970480192.168.2.688.221.110.106
                                                      Oct 2, 2024 18:58:29.965492010 CEST804970488.221.110.106192.168.2.6
                                                      Oct 2, 2024 18:58:29.965600967 CEST4970480192.168.2.688.221.110.106
                                                      Oct 2, 2024 18:58:38.674257994 CEST49780443192.168.2.6142.250.185.142
                                                      Oct 2, 2024 18:58:38.674326897 CEST44349780142.250.185.142192.168.2.6
                                                      Oct 2, 2024 18:58:38.674432039 CEST49780443192.168.2.6142.250.185.142
                                                      Oct 2, 2024 18:58:38.674823999 CEST49780443192.168.2.6142.250.185.142
                                                      Oct 2, 2024 18:58:38.674845934 CEST44349780142.250.185.142192.168.2.6
                                                      Oct 2, 2024 18:58:39.322586060 CEST44349780142.250.185.142192.168.2.6
                                                      Oct 2, 2024 18:58:39.323056936 CEST49780443192.168.2.6142.250.185.142
                                                      Oct 2, 2024 18:58:39.323095083 CEST44349780142.250.185.142192.168.2.6
                                                      Oct 2, 2024 18:58:39.324445009 CEST44349780142.250.185.142192.168.2.6
                                                      Oct 2, 2024 18:58:39.324917078 CEST49780443192.168.2.6142.250.185.142
                                                      Oct 2, 2024 18:58:39.325103998 CEST44349780142.250.185.142192.168.2.6
                                                      Oct 2, 2024 18:58:39.325489044 CEST49780443192.168.2.6142.250.185.142
                                                      Oct 2, 2024 18:58:39.325531960 CEST49780443192.168.2.6142.250.185.142
                                                      Oct 2, 2024 18:58:39.325550079 CEST44349780142.250.185.142192.168.2.6
                                                      Oct 2, 2024 18:58:39.623226881 CEST44349780142.250.185.142192.168.2.6
                                                      Oct 2, 2024 18:58:39.626118898 CEST44349780142.250.185.142192.168.2.6
                                                      Oct 2, 2024 18:58:39.626317978 CEST49780443192.168.2.6142.250.185.142
                                                      Oct 2, 2024 18:58:39.626395941 CEST49780443192.168.2.6142.250.185.142
                                                      Oct 2, 2024 18:58:39.626414061 CEST44349780142.250.185.142192.168.2.6
                                                      Oct 2, 2024 18:58:41.346777916 CEST49781443192.168.2.6142.250.185.142
                                                      Oct 2, 2024 18:58:41.346884012 CEST44349781142.250.185.142192.168.2.6
                                                      Oct 2, 2024 18:58:41.347026110 CEST49781443192.168.2.6142.250.185.142
                                                      Oct 2, 2024 18:58:41.347603083 CEST49781443192.168.2.6142.250.185.142
                                                      Oct 2, 2024 18:58:41.347642899 CEST44349781142.250.185.142192.168.2.6
                                                      Oct 2, 2024 18:58:41.987864017 CEST44349781142.250.185.142192.168.2.6
                                                      Oct 2, 2024 18:58:41.988387108 CEST49781443192.168.2.6142.250.185.142
                                                      Oct 2, 2024 18:58:41.988449097 CEST44349781142.250.185.142192.168.2.6
                                                      Oct 2, 2024 18:58:41.988801956 CEST44349781142.250.185.142192.168.2.6
                                                      Oct 2, 2024 18:58:41.989228010 CEST49781443192.168.2.6142.250.185.142
                                                      Oct 2, 2024 18:58:41.989310026 CEST44349781142.250.185.142192.168.2.6
                                                      Oct 2, 2024 18:58:41.989473104 CEST49781443192.168.2.6142.250.185.142
                                                      Oct 2, 2024 18:58:41.989473104 CEST49781443192.168.2.6142.250.185.142
                                                      Oct 2, 2024 18:58:41.989521027 CEST44349781142.250.185.142192.168.2.6
                                                      Oct 2, 2024 18:58:42.290519953 CEST44349781142.250.185.142192.168.2.6
                                                      Oct 2, 2024 18:58:42.290662050 CEST44349781142.250.185.142192.168.2.6
                                                      Oct 2, 2024 18:58:42.290879965 CEST49781443192.168.2.6142.250.185.142
                                                      Oct 2, 2024 18:58:42.291182995 CEST49781443192.168.2.6142.250.185.142
                                                      Oct 2, 2024 18:58:42.291229010 CEST44349781142.250.185.142192.168.2.6
                                                      Oct 2, 2024 18:59:01.561369896 CEST49782443192.168.2.6142.250.184.228
                                                      Oct 2, 2024 18:59:01.561418056 CEST44349782142.250.184.228192.168.2.6
                                                      Oct 2, 2024 18:59:01.561508894 CEST49782443192.168.2.6142.250.184.228
                                                      Oct 2, 2024 18:59:01.561788082 CEST49782443192.168.2.6142.250.184.228
                                                      Oct 2, 2024 18:59:01.561801910 CEST44349782142.250.184.228192.168.2.6
                                                      Oct 2, 2024 18:59:02.209718943 CEST44349782142.250.184.228192.168.2.6
                                                      Oct 2, 2024 18:59:02.265271902 CEST49782443192.168.2.6142.250.184.228
                                                      Oct 2, 2024 18:59:02.401113987 CEST49783443192.168.2.640.115.3.253
                                                      Oct 2, 2024 18:59:02.401170015 CEST4434978340.115.3.253192.168.2.6
                                                      Oct 2, 2024 18:59:02.401426077 CEST49783443192.168.2.640.115.3.253
                                                      Oct 2, 2024 18:59:02.402050018 CEST49783443192.168.2.640.115.3.253
                                                      Oct 2, 2024 18:59:02.402071953 CEST4434978340.115.3.253192.168.2.6
                                                      Oct 2, 2024 18:59:03.179567099 CEST4434978340.115.3.253192.168.2.6
                                                      Oct 2, 2024 18:59:03.179647923 CEST49783443192.168.2.640.115.3.253
                                                      Oct 2, 2024 18:59:03.181598902 CEST49783443192.168.2.640.115.3.253
                                                      Oct 2, 2024 18:59:03.181612015 CEST4434978340.115.3.253192.168.2.6
                                                      Oct 2, 2024 18:59:03.181840897 CEST4434978340.115.3.253192.168.2.6
                                                      Oct 2, 2024 18:59:03.183914900 CEST49783443192.168.2.640.115.3.253
                                                      Oct 2, 2024 18:59:03.183979034 CEST49783443192.168.2.640.115.3.253
                                                      Oct 2, 2024 18:59:03.183984995 CEST4434978340.115.3.253192.168.2.6
                                                      Oct 2, 2024 18:59:03.184101105 CEST49783443192.168.2.640.115.3.253
                                                      Oct 2, 2024 18:59:03.227404118 CEST4434978340.115.3.253192.168.2.6
                                                      Oct 2, 2024 18:59:03.356070042 CEST4434978340.115.3.253192.168.2.6
                                                      Oct 2, 2024 18:59:03.356154919 CEST4434978340.115.3.253192.168.2.6
                                                      Oct 2, 2024 18:59:03.356239080 CEST49783443192.168.2.640.115.3.253
                                                      Oct 2, 2024 18:59:03.356512070 CEST49783443192.168.2.640.115.3.253
                                                      Oct 2, 2024 18:59:03.356534004 CEST4434978340.115.3.253192.168.2.6

                                                      UDP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Oct 2, 2024 18:56:56.954125881 CEST5687053192.168.2.61.1.1.1
                                                      Oct 2, 2024 18:56:56.954298973 CEST5088453192.168.2.61.1.1.1
                                                      Oct 2, 2024 18:56:56.960988998 CEST53568701.1.1.1192.168.2.6
                                                      Oct 2, 2024 18:56:56.962789059 CEST53508841.1.1.1192.168.2.6
                                                      Oct 2, 2024 18:56:56.964744091 CEST53599911.1.1.1192.168.2.6
                                                      Oct 2, 2024 18:56:56.969954014 CEST53602971.1.1.1192.168.2.6
                                                      Oct 2, 2024 18:56:57.944406986 CEST4949153192.168.2.61.1.1.1
                                                      Oct 2, 2024 18:56:57.944679022 CEST5840453192.168.2.61.1.1.1
                                                      Oct 2, 2024 18:56:57.951459885 CEST53584041.1.1.1192.168.2.6
                                                      Oct 2, 2024 18:56:57.951658010 CEST53494911.1.1.1192.168.2.6
                                                      Oct 2, 2024 18:56:57.976387024 CEST53585561.1.1.1192.168.2.6
                                                      Oct 2, 2024 18:57:01.446821928 CEST6267953192.168.2.61.1.1.1
                                                      Oct 2, 2024 18:57:01.447114944 CEST4991153192.168.2.61.1.1.1
                                                      Oct 2, 2024 18:57:01.453968048 CEST53499111.1.1.1192.168.2.6
                                                      Oct 2, 2024 18:57:01.454169989 CEST53626791.1.1.1192.168.2.6
                                                      Oct 2, 2024 18:57:01.964812994 CEST53617681.1.1.1192.168.2.6
                                                      Oct 2, 2024 18:57:03.879333019 CEST53585591.1.1.1192.168.2.6
                                                      Oct 2, 2024 18:57:06.407569885 CEST5169053192.168.2.61.1.1.1
                                                      Oct 2, 2024 18:57:06.407849073 CEST6120153192.168.2.61.1.1.1
                                                      Oct 2, 2024 18:57:06.414679050 CEST53516901.1.1.1192.168.2.6
                                                      Oct 2, 2024 18:57:06.416052103 CEST53612011.1.1.1192.168.2.6
                                                      Oct 2, 2024 18:57:07.526140928 CEST5723053192.168.2.61.1.1.1
                                                      Oct 2, 2024 18:57:07.526140928 CEST5915553192.168.2.61.1.1.1
                                                      Oct 2, 2024 18:57:07.532824039 CEST53591551.1.1.1192.168.2.6
                                                      Oct 2, 2024 18:57:07.532937050 CEST53572301.1.1.1192.168.2.6
                                                      Oct 2, 2024 18:57:14.912221909 CEST53607531.1.1.1192.168.2.6
                                                      Oct 2, 2024 18:57:33.668469906 CEST53616861.1.1.1192.168.2.6
                                                      Oct 2, 2024 18:57:56.334428072 CEST53502761.1.1.1192.168.2.6
                                                      Oct 2, 2024 18:57:56.884026051 CEST53633691.1.1.1192.168.2.6
                                                      Oct 2, 2024 18:58:08.063215971 CEST5437653192.168.2.61.1.1.1
                                                      Oct 2, 2024 18:58:08.063215971 CEST5194753192.168.2.61.1.1.1
                                                      Oct 2, 2024 18:58:08.070660114 CEST53543761.1.1.1192.168.2.6
                                                      Oct 2, 2024 18:58:08.070683956 CEST53519471.1.1.1192.168.2.6
                                                      Oct 2, 2024 18:58:08.542292118 CEST53559241.1.1.1192.168.2.6
                                                      Oct 2, 2024 18:58:25.525451899 CEST53551461.1.1.1192.168.2.6

                                                      DNS Queries

                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                      Oct 2, 2024 18:56:56.954125881 CEST192.168.2.61.1.1.10xdac4Standard query (0)youtube.comA (IP address)IN (0x0001)false
                                                      Oct 2, 2024 18:56:56.954298973 CEST192.168.2.61.1.1.10xf1d7Standard query (0)youtube.com65IN (0x0001)false
                                                      Oct 2, 2024 18:56:57.944406986 CEST192.168.2.61.1.1.10x98cbStandard query (0)www.youtube.comA (IP address)IN (0x0001)false
                                                      Oct 2, 2024 18:56:57.944679022 CEST192.168.2.61.1.1.10xb1abStandard query (0)www.youtube.com65IN (0x0001)false
                                                      Oct 2, 2024 18:57:01.446821928 CEST192.168.2.61.1.1.10x1e5eStandard query (0)www.google.comA (IP address)IN (0x0001)false
                                                      Oct 2, 2024 18:57:01.447114944 CEST192.168.2.61.1.1.10xcdc8Standard query (0)www.google.com65IN (0x0001)false
                                                      Oct 2, 2024 18:57:06.407569885 CEST192.168.2.61.1.1.10x295bStandard query (0)accounts.youtube.comA (IP address)IN (0x0001)false
                                                      Oct 2, 2024 18:57:06.407849073 CEST192.168.2.61.1.1.10xcfa4Standard query (0)accounts.youtube.com65IN (0x0001)false
                                                      Oct 2, 2024 18:57:07.526140928 CEST192.168.2.61.1.1.10x4d4fStandard query (0)play.google.comA (IP address)IN (0x0001)false
                                                      Oct 2, 2024 18:57:07.526140928 CEST192.168.2.61.1.1.10x1aa3Standard query (0)play.google.com65IN (0x0001)false
                                                      Oct 2, 2024 18:58:08.063215971 CEST192.168.2.61.1.1.10x3787Standard query (0)play.google.comA (IP address)IN (0x0001)false
                                                      Oct 2, 2024 18:58:08.063215971 CEST192.168.2.61.1.1.10xd914Standard query (0)play.google.com65IN (0x0001)false

                                                      DNS Answers

                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                      Oct 2, 2024 18:56:56.960988998 CEST1.1.1.1192.168.2.60xdac4No error (0)youtube.com142.250.185.206A (IP address)IN (0x0001)false
                                                      Oct 2, 2024 18:56:56.962789059 CEST1.1.1.1192.168.2.60xf1d7No error (0)youtube.com65IN (0x0001)false
                                                      Oct 2, 2024 18:56:57.951459885 CEST1.1.1.1192.168.2.60xb1abNo error (0)www.youtube.comyoutube-ui.l.google.comCNAME (Canonical name)IN (0x0001)false
                                                      Oct 2, 2024 18:56:57.951459885 CEST1.1.1.1192.168.2.60xb1abNo error (0)youtube-ui.l.google.com65IN (0x0001)false
                                                      Oct 2, 2024 18:56:57.951658010 CEST1.1.1.1192.168.2.60x98cbNo error (0)www.youtube.comyoutube-ui.l.google.comCNAME (Canonical name)IN (0x0001)false
                                                      Oct 2, 2024 18:56:57.951658010 CEST1.1.1.1192.168.2.60x98cbNo error (0)youtube-ui.l.google.com172.217.16.142A (IP address)IN (0x0001)false
                                                      Oct 2, 2024 18:56:57.951658010 CEST1.1.1.1192.168.2.60x98cbNo error (0)youtube-ui.l.google.com142.250.186.46A (IP address)IN (0x0001)false
                                                      Oct 2, 2024 18:56:57.951658010 CEST1.1.1.1192.168.2.60x98cbNo error (0)youtube-ui.l.google.com142.250.185.206A (IP address)IN (0x0001)false
                                                      Oct 2, 2024 18:56:57.951658010 CEST1.1.1.1192.168.2.60x98cbNo error (0)youtube-ui.l.google.com142.250.185.174A (IP address)IN (0x0001)false
                                                      Oct 2, 2024 18:56:57.951658010 CEST1.1.1.1192.168.2.60x98cbNo error (0)youtube-ui.l.google.com142.250.185.78A (IP address)IN (0x0001)false
                                                      Oct 2, 2024 18:56:57.951658010 CEST1.1.1.1192.168.2.60x98cbNo error (0)youtube-ui.l.google.com172.217.18.14A (IP address)IN (0x0001)false
                                                      Oct 2, 2024 18:56:57.951658010 CEST1.1.1.1192.168.2.60x98cbNo error (0)youtube-ui.l.google.com142.250.181.238A (IP address)IN (0x0001)false
                                                      Oct 2, 2024 18:56:57.951658010 CEST1.1.1.1192.168.2.60x98cbNo error (0)youtube-ui.l.google.com142.250.74.206A (IP address)IN (0x0001)false
                                                      Oct 2, 2024 18:56:57.951658010 CEST1.1.1.1192.168.2.60x98cbNo error (0)youtube-ui.l.google.com142.250.184.238A (IP address)IN (0x0001)false
                                                      Oct 2, 2024 18:56:57.951658010 CEST1.1.1.1192.168.2.60x98cbNo error (0)youtube-ui.l.google.com142.250.186.174A (IP address)IN (0x0001)false
                                                      Oct 2, 2024 18:56:57.951658010 CEST1.1.1.1192.168.2.60x98cbNo error (0)youtube-ui.l.google.com216.58.206.46A (IP address)IN (0x0001)false
                                                      Oct 2, 2024 18:56:57.951658010 CEST1.1.1.1192.168.2.60x98cbNo error (0)youtube-ui.l.google.com216.58.212.174A (IP address)IN (0x0001)false
                                                      Oct 2, 2024 18:56:57.951658010 CEST1.1.1.1192.168.2.60x98cbNo error (0)youtube-ui.l.google.com142.250.185.110A (IP address)IN (0x0001)false
                                                      Oct 2, 2024 18:56:57.951658010 CEST1.1.1.1192.168.2.60x98cbNo error (0)youtube-ui.l.google.com142.250.185.238A (IP address)IN (0x0001)false
                                                      Oct 2, 2024 18:56:57.951658010 CEST1.1.1.1192.168.2.60x98cbNo error (0)youtube-ui.l.google.com142.250.184.206A (IP address)IN (0x0001)false
                                                      Oct 2, 2024 18:56:57.951658010 CEST1.1.1.1192.168.2.60x98cbNo error (0)youtube-ui.l.google.com142.250.185.142A (IP address)IN (0x0001)false
                                                      Oct 2, 2024 18:57:01.453968048 CEST1.1.1.1192.168.2.60xcdc8No error (0)www.google.com65IN (0x0001)false
                                                      Oct 2, 2024 18:57:01.454169989 CEST1.1.1.1192.168.2.60x1e5eNo error (0)www.google.com142.250.184.228A (IP address)IN (0x0001)false
                                                      Oct 2, 2024 18:57:06.414679050 CEST1.1.1.1192.168.2.60x295bNo error (0)accounts.youtube.comwww3.l.google.comCNAME (Canonical name)IN (0x0001)false
                                                      Oct 2, 2024 18:57:06.414679050 CEST1.1.1.1192.168.2.60x295bNo error (0)www3.l.google.com142.250.185.174A (IP address)IN (0x0001)false
                                                      Oct 2, 2024 18:57:06.416052103 CEST1.1.1.1192.168.2.60xcfa4No error (0)accounts.youtube.comwww3.l.google.comCNAME (Canonical name)IN (0x0001)false
                                                      Oct 2, 2024 18:57:07.532937050 CEST1.1.1.1192.168.2.60x4d4fNo error (0)play.google.com142.250.181.238A (IP address)IN (0x0001)false
                                                      Oct 2, 2024 18:58:08.070660114 CEST1.1.1.1192.168.2.60x3787No error (0)play.google.com142.250.185.142A (IP address)IN (0x0001)false

                                                      HTTP Request Dependency Graph

                                                      • youtube.com
                                                      • www.youtube.com
                                                      • fs.microsoft.com
                                                      • https:
                                                        • accounts.youtube.com
                                                        • play.google.com
                                                        • www.google.com
                                                      • slscr.update.microsoft.com

                                                      HTTPS Proxied Packets

                                                      Session IDSource IPSource PortDestination IPDestination Port
                                                      0192.168.2.64971040.115.3.253443
                                                      TimestampBytes transferredDirectionData
                                                      2024-10-02 16:56:57 UTC71OUTData Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 57 44 79 37 6e 62 34 7a 36 55 32 62 6f 74 67 48 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 62 38 63 61 35 61 61 64 36 39 64 33 64 34 35 33 0d 0a 0d 0a
                                                      Data Ascii: CNT 1 CON 305MS-CV: WDy7nb4z6U2botgH.1Context: b8ca5aad69d3d453
                                                      2024-10-02 16:56:57 UTC249OUTData Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e
                                                      Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
                                                      2024-10-02 16:56:57 UTC1084OUTData Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 57 44 79 37 6e 62 34 7a 36 55 32 62 6f 74 67 48 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 62 38 63 61 35 61 61 64 36 39 64 33 64 34 35 33 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 57 75 6a 54 55 75 2b 58 42 70 70 30 76 50 4d 4f 64 6e 50 36 48 75 70 46 71 66 42 55 35 36 35 64 6a 2f 64 46 63 38 67 4e 50 67 48 6d 66 4f 6b 4f 6e 45 7a 79 54 55 53 67 67 2f 32 63 44 6c 64 35 2b 72 64 61 6a 6d 6c 4f 6a 35 44 7a 4d 4f 6b 6f 44 47 43 66 78 44 4e 71 7a 76 51 71 33 4a 30 72 44 59 65 63 77 71 44 48 6b 6f 67 55 4c
                                                      Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: WDy7nb4z6U2botgH.2Context: b8ca5aad69d3d453<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAWujTUu+XBpp0vPMOdnP6HupFqfBU565dj/dFc8gNPgHmfOkOnEzyTUSgg/2cDld5+rdajmlOj5DzMOkoDGCfxDNqzvQq3J0rDYecwqDHkogUL
                                                      2024-10-02 16:56:57 UTC218OUTData Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 57 44 79 37 6e 62 34 7a 36 55 32 62 6f 74 67 48 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 62 38 63 61 35 61 61 64 36 39 64 33 64 34 35 33 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e
                                                      Data Ascii: BND 3 CON\WNS 0 197MS-CV: WDy7nb4z6U2botgH.3Context: b8ca5aad69d3d453<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
                                                      2024-10-02 16:56:57 UTC14INData Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a
                                                      Data Ascii: 202 1 CON 58
                                                      2024-10-02 16:56:57 UTC58INData Raw: 4d 53 2d 43 56 3a 20 6e 6a 41 64 6b 79 50 30 37 6b 53 43 48 61 46 72 75 61 4f 39 4f 77 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e
                                                      Data Ascii: MS-CV: njAdkyP07kSCHaFruaO9Ow.0Payload parsing failed.


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      1192.168.2.649714142.250.185.2064431460C:\Program Files\Google\Chrome\Application\chrome.exe
                                                      TimestampBytes transferredDirectionData
                                                      2024-10-02 16:56:57 UTC839OUTGET /account?=https://accounts.google.com/v3/signin/challenge/pwd HTTP/1.1
                                                      Host: youtube.com
                                                      Connection: keep-alive
                                                      sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                      sec-ch-ua-mobile: ?0
                                                      sec-ch-ua-platform: "Windows"
                                                      Upgrade-Insecure-Requests: 1
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIk6HLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc=
                                                      Sec-Fetch-Site: none
                                                      Sec-Fetch-Mode: navigate
                                                      Sec-Fetch-User: ?1
                                                      Sec-Fetch-Dest: document
                                                      Accept-Encoding: gzip, deflate, br
                                                      Accept-Language: en-US,en;q=0.9
                                                      2024-10-02 16:56:57 UTC1726INHTTP/1.1 301 Moved Permanently
                                                      Content-Type: application/binary
                                                      X-Content-Type-Options: nosniff
                                                      Expires: Wed, 02 Oct 2024 16:56:57 GMT
                                                      Date: Wed, 02 Oct 2024 16:56:57 GMT
                                                      Cache-Control: private, max-age=31536000
                                                      Location: https://www.youtube.com/account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd
                                                      X-Frame-Options: SAMEORIGIN
                                                      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                      Origin-Trial: AmhMBR6zCLzDDxpW+HfpP67BqwIknWnyMOXOQGfzYswFmJe+fgaI6XZgAzcxOrzNtP7hEDsOo1jdjFnVr2IdxQ4AAAB4eyJvcmlnaW4iOiJodHRwczovL3lvdXR1YmUuY29tOjQ0MyIsImZlYXR1cmUiOiJXZWJWaWV3WFJlcXVlc3RlZFdpdGhEZXByZWNhdGlvbiIsImV4cGlyeSI6MTc1ODA2NzE5OSwiaXNTdWJkb21haW4iOnRydWV9
                                                      Report-To: {"group":"youtube_main","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/youtube_main"}]}
                                                      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                      Vary: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                      Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="youtube_main"
                                                      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                      Content-Security-Policy: require-trusted-types-for 'script';report-uri /cspreport
                                                      Server: ESF
                                                      Content-Length: 0
                                                      X-XSS-Protection: 0
                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                      Connection: close


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      2192.168.2.649717172.217.16.1424431460C:\Program Files\Google\Chrome\Application\chrome.exe
                                                      TimestampBytes transferredDirectionData
                                                      2024-10-02 16:56:58 UTC857OUTGET /account?=https%3A%2F%2Faccounts.google.com%2Fv3%2Fsignin%2Fchallenge%2Fpwd HTTP/1.1
                                                      Host: www.youtube.com
                                                      Connection: keep-alive
                                                      Upgrade-Insecure-Requests: 1
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIk6HLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc=
                                                      Sec-Fetch-Site: none
                                                      Sec-Fetch-Mode: navigate
                                                      Sec-Fetch-User: ?1
                                                      Sec-Fetch-Dest: document
                                                      sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                      sec-ch-ua-mobile: ?0
                                                      sec-ch-ua-platform: "Windows"
                                                      Accept-Encoding: gzip, deflate, br
                                                      Accept-Language: en-US,en;q=0.9
                                                      2024-10-02 16:56:58 UTC2634INHTTP/1.1 303 See Other
                                                      Content-Type: application/binary
                                                      X-Content-Type-Options: nosniff
                                                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                      Pragma: no-cache
                                                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                      Date: Wed, 02 Oct 2024 16:56:58 GMT
                                                      Location: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%253F%253Dhttps%25253A%25252F%25252Faccounts.google.com%25252Fv3%25252Fsignin%25252Fchallenge%25252Fpwd%26feature%3Dredirect_login&hl=en
                                                      X-Frame-Options: SAMEORIGIN
                                                      Strict-Transport-Security: max-age=31536000
                                                      Origin-Trial: AmhMBR6zCLzDDxpW+HfpP67BqwIknWnyMOXOQGfzYswFmJe+fgaI6XZgAzcxOrzNtP7hEDsOo1jdjFnVr2IdxQ4AAAB4eyJvcmlnaW4iOiJodHRwczovL3lvdXR1YmUuY29tOjQ0MyIsImZlYXR1cmUiOiJXZWJWaWV3WFJlcXVlc3RlZFdpdGhEZXByZWNhdGlvbiIsImV4cGlyeSI6MTc1ODA2NzE5OSwiaXNTdWJkb21haW4iOnRydWV9
                                                      Report-To: {"group":"youtube_main","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/youtube_main"}]}
                                                      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                      Vary: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                      Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="youtube_main"
                                                      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                      Content-Security-Policy: require-trusted-types-for 'script'
                                                      P3P: CP="This is not a P3P policy! See http://support.google.com/accounts/answer/151657?hl=en for more info."
                                                      Server: ESF
                                                      Content-Length: 0
                                                      X-XSS-Protection: 0
                                                      Set-Cookie: GPS=1; Domain=.youtube.com; Expires=Wed, 02-Oct-2024 17:26:58 GMT; Path=/; Secure; HttpOnly
                                                      Set-Cookie: YSC=G9k4aAv5kNE; Domain=.youtube.com; Path=/; Secure; HttpOnly; SameSite=none; Partitioned
                                                      Set-Cookie: VISITOR_INFO1_LIVE=OorQvGgD6Ok; Domain=.youtube.com; Expires=Mon, 31-Mar-2025 16:56:58 GMT; Path=/; Secure; HttpOnly; SameSite=none; Partitioned
                                                      Set-Cookie: VISITOR_PRIVACY_METADATA=CgJVUxIEGgAgHA%3D%3D; Domain=.youtube.com; Expires=Mon, 31-Mar-2025 16:56:58 GMT; Path=/; Secure; HttpOnly; SameSite=none; Partitioned
                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                      Connection: close


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      3192.168.2.649725184.28.90.27443
                                                      TimestampBytes transferredDirectionData
                                                      2024-10-02 16:57:02 UTC161OUTHEAD /fs/windows/config.json HTTP/1.1
                                                      Connection: Keep-Alive
                                                      Accept: */*
                                                      Accept-Encoding: identity
                                                      User-Agent: Microsoft BITS/7.8
                                                      Host: fs.microsoft.com
                                                      2024-10-02 16:57:02 UTC466INHTTP/1.1 200 OK
                                                      Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json
                                                      Content-Type: application/octet-stream
                                                      ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7"
                                                      Last-Modified: Tue, 16 May 2017 22:58:00 GMT
                                                      Server: ECAcc (lpl/EF06)
                                                      X-CID: 11
                                                      X-Ms-ApiVersion: Distribute 1.2
                                                      X-Ms-Region: prod-neu-z1
                                                      Cache-Control: public, max-age=85728
                                                      Date: Wed, 02 Oct 2024 16:57:02 GMT
                                                      Connection: close
                                                      X-CID: 2


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      4192.168.2.649728184.28.90.27443
                                                      TimestampBytes transferredDirectionData
                                                      2024-10-02 16:57:03 UTC239OUTGET /fs/windows/config.json HTTP/1.1
                                                      Connection: Keep-Alive
                                                      Accept: */*
                                                      Accept-Encoding: identity
                                                      If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT
                                                      Range: bytes=0-2147483646
                                                      User-Agent: Microsoft BITS/7.8
                                                      Host: fs.microsoft.com
                                                      2024-10-02 16:57:04 UTC514INHTTP/1.1 200 OK
                                                      ApiVersion: Distribute 1.1
                                                      Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json
                                                      Content-Type: application/octet-stream
                                                      ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7"
                                                      Last-Modified: Tue, 16 May 2017 22:58:00 GMT
                                                      Server: ECAcc (lpl/EF06)
                                                      X-CID: 11
                                                      X-Ms-ApiVersion: Distribute 1.2
                                                      X-Ms-Region: prod-weu-z1
                                                      Cache-Control: public, max-age=85670
                                                      Date: Wed, 02 Oct 2024 16:57:04 GMT
                                                      Content-Length: 55
                                                      Connection: close
                                                      X-CID: 2
                                                      2024-10-02 16:57:04 UTC55INData Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d
                                                      Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}


                                                      Session IDSource IPSource PortDestination IPDestination Port
                                                      5192.168.2.64973440.115.3.253443
                                                      TimestampBytes transferredDirectionData
                                                      2024-10-02 16:57:05 UTC71OUTData Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 68 35 32 76 78 67 46 62 5a 30 75 69 41 30 6d 66 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 36 65 62 33 39 39 36 34 33 33 33 34 36 63 62 34 0d 0a 0d 0a
                                                      Data Ascii: CNT 1 CON 305MS-CV: h52vxgFbZ0uiA0mf.1Context: 6eb3996433346cb4
                                                      2024-10-02 16:57:05 UTC249OUTData Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e
                                                      Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
                                                      2024-10-02 16:57:05 UTC1084OUTData Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 68 35 32 76 78 67 46 62 5a 30 75 69 41 30 6d 66 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 36 65 62 33 39 39 36 34 33 33 33 34 36 63 62 34 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 57 75 6a 54 55 75 2b 58 42 70 70 30 76 50 4d 4f 64 6e 50 36 48 75 70 46 71 66 42 55 35 36 35 64 6a 2f 64 46 63 38 67 4e 50 67 48 6d 66 4f 6b 4f 6e 45 7a 79 54 55 53 67 67 2f 32 63 44 6c 64 35 2b 72 64 61 6a 6d 6c 4f 6a 35 44 7a 4d 4f 6b 6f 44 47 43 66 78 44 4e 71 7a 76 51 71 33 4a 30 72 44 59 65 63 77 71 44 48 6b 6f 67 55 4c
                                                      Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: h52vxgFbZ0uiA0mf.2Context: 6eb3996433346cb4<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAWujTUu+XBpp0vPMOdnP6HupFqfBU565dj/dFc8gNPgHmfOkOnEzyTUSgg/2cDld5+rdajmlOj5DzMOkoDGCfxDNqzvQq3J0rDYecwqDHkogUL
                                                      2024-10-02 16:57:05 UTC218OUTData Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 68 35 32 76 78 67 46 62 5a 30 75 69 41 30 6d 66 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 36 65 62 33 39 39 36 34 33 33 33 34 36 63 62 34 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e
                                                      Data Ascii: BND 3 CON\WNS 0 197MS-CV: h52vxgFbZ0uiA0mf.3Context: 6eb3996433346cb4<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
                                                      2024-10-02 16:57:05 UTC14INData Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a
                                                      Data Ascii: 202 1 CON 58
                                                      2024-10-02 16:57:05 UTC58INData Raw: 4d 53 2d 43 56 3a 20 73 52 61 74 64 68 68 47 6a 45 43 53 6a 6f 38 2f 31 53 70 51 63 51 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e
                                                      Data Ascii: MS-CV: sRatdhhGjECSjo8/1SpQcQ.0Payload parsing failed.


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      6192.168.2.649743142.250.185.1744431460C:\Program Files\Google\Chrome\Application\chrome.exe
                                                      TimestampBytes transferredDirectionData
                                                      2024-10-02 16:57:07 UTC1224OUTGET /accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=2004920150&timestamp=1727888225573 HTTP/1.1
                                                      Host: accounts.youtube.com
                                                      Connection: keep-alive
                                                      sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                      sec-ch-ua-mobile: ?0
                                                      sec-ch-ua-full-version: "117.0.5938.134"
                                                      sec-ch-ua-arch: "x86"
                                                      sec-ch-ua-platform: "Windows"
                                                      sec-ch-ua-platform-version: "10.0.0"
                                                      sec-ch-ua-model: ""
                                                      sec-ch-ua-bitness: "64"
                                                      sec-ch-ua-wow64: ?0
                                                      sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134"
                                                      Upgrade-Insecure-Requests: 1
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                      X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIk6HLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc=
                                                      Sec-Fetch-Site: cross-site
                                                      Sec-Fetch-Mode: navigate
                                                      Sec-Fetch-User: ?1
                                                      Sec-Fetch-Dest: iframe
                                                      Referer: https://accounts.google.com/
                                                      Accept-Encoding: gzip, deflate, br
                                                      Accept-Language: en-US,en;q=0.9
                                                      2024-10-02 16:57:07 UTC1969INHTTP/1.1 200 OK
                                                      Content-Type: text/html; charset=utf-8
                                                      X-Frame-Options: ALLOW-FROM https://accounts.google.com
                                                      Content-Security-Policy: frame-ancestors https://accounts.google.com
                                                      Content-Security-Policy: script-src 'report-sample' 'nonce-jFJuFfuYNxrLbkQ39L4RWw' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/AccountsDomainCookiesCheckConnectionHttp/cspreport;worker-src 'self'
                                                      Content-Security-Policy: script-src 'unsafe-inline' 'unsafe-eval' blob: data: 'self' https://apis.google.com https://ssl.gstatic.com https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://www.google-analytics.com;report-uri /_/AccountsDomainCookiesCheckConnectionHttp/cspreport/allowlist
                                                      Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/AccountsDomainCookiesCheckConnectionHttp/cspreport
                                                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                      Pragma: no-cache
                                                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                      Date: Wed, 02 Oct 2024 16:57:07 GMT
                                                      Permissions-Policy: ch-ua-arch=*, ch-ua-bitness=*, ch-ua-full-version=*, ch-ua-full-version-list=*, ch-ua-model=*, ch-ua-wow64=*, ch-ua-form-factors=*, ch-ua-platform=*, ch-ua-platform-version=*
                                                      Cross-Origin-Opener-Policy: same-origin
                                                      Cross-Origin-Resource-Policy: cross-origin
                                                      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                                                      reporting-endpoints: default="/_/AccountsDomainCookiesCheckConnectionHttp/web-reports?context=eJzjstDikmJw15BikPj6kkkDiJ3SZ7AGAXHSv_OsRUB8ufsS63UgVu25xGoKxEUSV1ibgFiIh-Pxt6_b2QQaXj_fwKikl5RfGJ-ZkppXkllSmZKfm5iZl5yfn52ZWlycWlSWWhRvZGBkYmBpZKRnYBFfYAAABqkuNg"
                                                      Server: ESF
                                                      X-XSS-Protection: 0
                                                      X-Content-Type-Options: nosniff
                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                      Accept-Ranges: none
                                                      Vary: Accept-Encoding
                                                      Connection: close
                                                      Transfer-Encoding: chunked
                                                      2024-10-02 16:57:07 UTC1969INData Raw: 37 36 32 30 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 20 6e 6f 6e 63 65 3d 22 6a 46 4a 75 46 66 75 59 4e 78 72 4c 62 6b 51 33 39 4c 34 52 57 77 22 3e 22 75 73 65 20 73 74 72 69 63 74 22 3b 74 68 69 73 2e 64 65 66 61 75 6c 74 5f 41 63 63 6f 75 6e 74 73 44 6f 6d 61 69 6e 63 6f 6f 6b 69 65 73 43 68 65 63 6b 63 6f 6e 6e 65 63 74 69 6f 6e 4a 73 3d 74 68 69 73 2e 64 65 66 61 75 6c 74 5f 41 63 63 6f 75 6e 74 73 44 6f 6d 61 69 6e 63 6f 6f 6b 69 65 73 43 68 65 63 6b 63 6f 6e 6e 65 63 74 69 6f 6e 4a 73 7c 7c 7b 7d 3b 28 66 75 6e 63 74 69 6f 6e 28 5f 29 7b 76 61 72 20 77 69 6e 64 6f 77 3d 74 68 69 73 3b 0a 74 72 79 7b 0a 5f 2e 5f 46 5f 74 6f 67 67 6c 65 73 5f 69 6e 69 74 69 61 6c 69 7a 65 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 28 74 79 70 65 6f
                                                      Data Ascii: 7620<html><head><script nonce="jFJuFfuYNxrLbkQ39L4RWw">"use strict";this.default_AccountsDomaincookiesCheckconnectionJs=this.default_AccountsDomaincookiesCheckconnectionJs||{};(function(_){var window=this;try{_._F_toggles_initialize=function(a){(typeo
                                                      2024-10-02 16:57:07 UTC1969INData Raw: 54 72 69 64 65 6e 74 5c 2f 28 5c 64 2e 5c 64 29 2f 2e 65 78 65 63 28 62 29 2c 0a 63 5b 31 5d 3d 3d 22 37 2e 30 22 29 69 66 28 62 26 26 62 5b 31 5d 29 73 77 69 74 63 68 28 62 5b 31 5d 29 7b 63 61 73 65 20 22 34 2e 30 22 3a 61 3d 22 38 2e 30 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 35 2e 30 22 3a 61 3d 22 39 2e 30 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 36 2e 30 22 3a 61 3d 22 31 30 2e 30 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 37 2e 30 22 3a 61 3d 22 31 31 2e 30 22 7d 65 6c 73 65 20 61 3d 22 37 2e 30 22 3b 65 6c 73 65 20 61 3d 63 5b 31 5d 3b 62 3d 61 7d 65 6c 73 65 20 62 3d 22 22 3b 72 65 74 75 72 6e 20 62 7d 76 61 72 20 64 3d 52 65 67 45 78 70 28 22 28 5b 41 2d 5a 5d 5b 5c 5c 77 20 5d 2b 29 2f 28 5b 5e 5c 5c 73 5d 2b 29 5c 5c 73 2a 28 3f 3a 5c 5c 28
                                                      Data Ascii: Trident\/(\d.\d)/.exec(b),c[1]=="7.0")if(b&&b[1])switch(b[1]){case "4.0":a="8.0";break;case "5.0":a="9.0";break;case "6.0":a="10.0";break;case "7.0":a="11.0"}else a="7.0";else a=c[1];b=a}else b="";return b}var d=RegExp("([A-Z][\\w ]+)/([^\\s]+)\\s*(?:\\(
                                                      2024-10-02 16:57:07 UTC1969INData Raw: 74 63 68 28 74 79 70 65 6f 66 20 61 29 7b 63 61 73 65 20 22 6e 75 6d 62 65 72 22 3a 72 65 74 75 72 6e 20 69 73 46 69 6e 69 74 65 28 61 29 3f 61 3a 53 74 72 69 6e 67 28 61 29 3b 63 61 73 65 20 22 62 69 67 69 6e 74 22 3a 72 65 74 75 72 6e 28 41 61 3f 0a 61 3e 3d 42 61 26 26 61 3c 3d 43 61 3a 61 5b 30 5d 3d 3d 3d 22 2d 22 3f 75 61 28 61 2c 44 61 29 3a 75 61 28 61 2c 45 61 29 29 3f 4e 75 6d 62 65 72 28 61 29 3a 53 74 72 69 6e 67 28 61 29 3b 63 61 73 65 20 22 62 6f 6f 6c 65 61 6e 22 3a 72 65 74 75 72 6e 20 61 3f 31 3a 30 3b 63 61 73 65 20 22 6f 62 6a 65 63 74 22 3a 69 66 28 61 29 69 66 28 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 61 29 29 7b 69 66 28 43 28 61 29 29 72 65 74 75 72 6e 7d 65 6c 73 65 20 69 66 28 46 61 26 26 61 21 3d 6e 75 6c 6c 26 26 61 20 69 6e
                                                      Data Ascii: tch(typeof a){case "number":return isFinite(a)?a:String(a);case "bigint":return(Aa?a>=Ba&&a<=Ca:a[0]==="-"?ua(a,Da):ua(a,Ea))?Number(a):String(a);case "boolean":return a?1:0;case "object":if(a)if(Array.isArray(a)){if(C(a))return}else if(Fa&&a!=null&&a in
                                                      2024-10-02 16:57:07 UTC1969INData Raw: 7b 76 61 72 20 62 3b 69 66 28 61 26 26 28 62 3d 51 61 29 21 3d 6e 75 6c 6c 26 26 62 2e 68 61 73 28 61 29 26 26 28 62 3d 61 2e 43 29 29 66 6f 72 28 76 61 72 20 63 3d 30 3b 63 3c 62 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 7b 76 61 72 20 64 3d 62 5b 63 5d 3b 69 66 28 63 3d 3d 3d 62 2e 6c 65 6e 67 74 68 2d 31 26 26 41 28 64 29 29 66 6f 72 28 76 61 72 20 65 20 69 6e 20 64 29 7b 76 61 72 20 66 3d 64 5b 65 5d 3b 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 66 29 26 26 0a 52 61 28 66 2c 61 29 7d 65 6c 73 65 20 41 72 72 61 79 2e 69 73 41 72 72 61 79 28 64 29 26 26 52 61 28 64 2c 61 29 7d 61 3d 45 3f 61 2e 43 3a 4d 61 28 61 2e 43 2c 50 61 2c 76 6f 69 64 20 30 2c 76 6f 69 64 20 30 2c 21 31 29 3b 65 3d 21 45 3b 69 66 28 62 3d 61 2e 6c 65 6e 67 74 68 29 7b 64 3d 61 5b 62 2d
                                                      Data Ascii: {var b;if(a&&(b=Qa)!=null&&b.has(a)&&(b=a.C))for(var c=0;c<b.length;c++){var d=b[c];if(c===b.length-1&&A(d))for(var e in d){var f=d[e];Array.isArray(f)&&Ra(f,a)}else Array.isArray(d)&&Ra(d,a)}a=E?a.C:Ma(a.C,Pa,void 0,void 0,!1);e=!E;if(b=a.length){d=a[b-
                                                      2024-10-02 16:57:07 UTC1969INData Raw: 6f 6c 2e 69 74 65 72 61 74 6f 72 22 2c 66 75 6e 63 74 69 6f 6e 28 61 29 7b 69 66 28 61 29 72 65 74 75 72 6e 20 61 3b 61 3d 53 79 6d 62 6f 6c 28 22 63 22 29 3b 66 6f 72 28 76 61 72 20 62 3d 22 41 72 72 61 79 20 49 6e 74 38 41 72 72 61 79 20 55 69 6e 74 38 41 72 72 61 79 20 55 69 6e 74 38 43 6c 61 6d 70 65 64 41 72 72 61 79 20 49 6e 74 31 36 41 72 72 61 79 20 55 69 6e 74 31 36 41 72 72 61 79 20 49 6e 74 33 32 41 72 72 61 79 20 55 69 6e 74 33 32 41 72 72 61 79 20 46 6c 6f 61 74 33 32 41 72 72 61 79 20 46 6c 6f 61 74 36 34 41 72 72 61 79 22 2e 73 70 6c 69 74 28 22 20 22 29 2c 63 3d 30 3b 63 3c 62 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 7b 76 61 72 20 64 3d 57 61 5b 62 5b 63 5d 5d 3b 74 79 70 65 6f 66 20 64 3d 3d 3d 22 66 75 6e 63 74 69 6f 6e 22 26 26 74 79 70 65
                                                      Data Ascii: ol.iterator",function(a){if(a)return a;a=Symbol("c");for(var b="Array Int8Array Uint8Array Uint8ClampedArray Int16Array Uint16Array Int32Array Uint32Array Float32Array Float64Array".split(" "),c=0;c<b.length;c++){var d=Wa[b[c]];typeof d==="function"&&type
                                                      2024-10-02 16:57:07 UTC1969INData Raw: 29 3b 65 28 22 66 72 65 65 7a 65 22 29 3b 65 28 22 70 72 65 76 65 6e 74 45 78 74 65 6e 73 69 6f 6e 73 22 29 3b 65 28 22 73 65 61 6c 22 29 3b 76 61 72 20 68 3d 30 2c 67 3d 66 75 6e 63 74 69 6f 6e 28 6b 29 7b 74 68 69 73 2e 67 3d 28 68 2b 3d 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 2b 31 29 2e 74 6f 53 74 72 69 6e 67 28 29 3b 69 66 28 6b 29 7b 6b 3d 48 28 6b 29 3b 66 6f 72 28 76 61 72 20 6c 3b 21 28 6c 3d 6b 2e 6e 65 78 74 28 29 29 2e 64 6f 6e 65 3b 29 6c 3d 6c 2e 76 61 6c 75 65 2c 74 68 69 73 2e 73 65 74 28 6c 5b 30 5d 2c 6c 5b 31 5d 29 7d 7d 3b 67 2e 70 72 6f 74 6f 74 79 70 65 2e 73 65 74 3d 66 75 6e 63 74 69 6f 6e 28 6b 2c 6c 29 7b 69 66 28 21 63 28 6b 29 29 74 68 72 6f 77 20 45 72 72 6f 72 28 22 69 22 29 3b 64 28 6b 29 3b 69 66 28 21 49 28 6b 2c 66 29 29
                                                      Data Ascii: );e("freeze");e("preventExtensions");e("seal");var h=0,g=function(k){this.g=(h+=Math.random()+1).toString();if(k){k=H(k);for(var l;!(l=k.next()).done;)l=l.value,this.set(l[0],l[1])}};g.prototype.set=function(k,l){if(!c(k))throw Error("i");d(k);if(!I(k,f))
                                                      2024-10-02 16:57:07 UTC1969INData Raw: 75 72 6e 20 67 2e 76 61 6c 75 65 7d 29 7d 3b 63 2e 70 72 6f 74 6f 74 79 70 65 2e 66 6f 72 45 61 63 68 3d 66 75 6e 63 74 69 6f 6e 28 67 2c 6b 29 7b 66 6f 72 28 76 61 72 20 6c 3d 74 68 69 73 2e 65 6e 74 72 69 65 73 28 29 2c 6d 3b 21 28 6d 3d 6c 2e 6e 65 78 74 28 29 29 2e 64 6f 6e 65 3b 29 6d 3d 0a 6d 2e 76 61 6c 75 65 2c 67 2e 63 61 6c 6c 28 6b 2c 6d 5b 31 5d 2c 6d 5b 30 5d 2c 74 68 69 73 29 7d 3b 63 2e 70 72 6f 74 6f 74 79 70 65 5b 53 79 6d 62 6f 6c 2e 69 74 65 72 61 74 6f 72 5d 3d 63 2e 70 72 6f 74 6f 74 79 70 65 2e 65 6e 74 72 69 65 73 3b 76 61 72 20 64 3d 66 75 6e 63 74 69 6f 6e 28 67 2c 6b 29 7b 76 61 72 20 6c 3d 6b 26 26 74 79 70 65 6f 66 20 6b 3b 6c 3d 3d 22 6f 62 6a 65 63 74 22 7c 7c 6c 3d 3d 22 66 75 6e 63 74 69 6f 6e 22 3f 62 2e 68 61 73 28 6b 29
                                                      Data Ascii: urn g.value})};c.prototype.forEach=function(g,k){for(var l=this.entries(),m;!(m=l.next()).done;)m=m.value,g.call(k,m[1],m[0],this)};c.prototype[Symbol.iterator]=c.prototype.entries;var d=function(g,k){var l=k&&typeof k;l=="object"||l=="function"?b.has(k)
                                                      2024-10-02 16:57:07 UTC1969INData Raw: 6f 6e 28 61 29 7b 72 65 74 75 72 6e 20 61 3f 61 3a 66 75 6e 63 74 69 6f 6e 28 62 29 7b 72 65 74 75 72 6e 20 74 79 70 65 6f 66 20 62 3d 3d 3d 22 6e 75 6d 62 65 72 22 26 26 69 73 4e 61 4e 28 62 29 7d 7d 29 3b 76 61 72 20 66 62 3d 66 62 7c 7c 7b 7d 2c 71 3d 74 68 69 73 7c 7c 73 65 6c 66 2c 67 62 3d 71 2e 5f 46 5f 74 6f 67 67 6c 65 73 7c 7c 5b 5d 2c 68 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 61 3d 61 2e 73 70 6c 69 74 28 22 2e 22 29 3b 66 6f 72 28 76 61 72 20 62 3d 71 2c 63 3d 30 3b 63 3c 61 2e 6c 65 6e 67 74 68 3b 63 2b 2b 29 69 66 28 62 3d 62 5b 61 5b 63 5d 5d 2c 62 3d 3d 6e 75 6c 6c 29 72 65 74 75 72 6e 20 6e 75 6c 6c 3b 72 65 74 75 72 6e 20 62 7d 2c 69 62 3d 22 63 6c 6f 73 75 72 65 5f 75 69 64 5f 22 2b 28 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 2a 31 45
                                                      Data Ascii: on(a){return a?a:function(b){return typeof b==="number"&&isNaN(b)}});var fb=fb||{},q=this||self,gb=q._F_toggles||[],hb=function(a){a=a.split(".");for(var b=q,c=0;c<a.length;c++)if(b=b[a[c]],b==null)return null;return b},ib="closure_uid_"+(Math.random()*1E
                                                      2024-10-02 16:57:07 UTC1969INData Raw: 74 65 78 74 5f 5f 39 38 34 33 38 32 3d 7b 7d 29 3b 61 2e 5f 5f 63 6c 6f 73 75 72 65 5f 5f 65 72 72 6f 72 5f 5f 63 6f 6e 74 65 78 74 5f 5f 39 38 34 33 38 32 2e 73 65 76 65 72 69 74 79 3d 62 7d 3b 76 61 72 20 71 62 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 2c 63 29 7b 63 3d 63 7c 7c 71 3b 76 61 72 20 64 3d 63 2e 6f 6e 65 72 72 6f 72 2c 65 3d 21 21 62 3b 63 2e 6f 6e 65 72 72 6f 72 3d 66 75 6e 63 74 69 6f 6e 28 66 2c 68 2c 67 2c 6b 2c 6c 29 7b 64 26 26 64 28 66 2c 68 2c 67 2c 6b 2c 6c 29 3b 61 28 7b 6d 65 73 73 61 67 65 3a 66 2c 66 69 6c 65 4e 61 6d 65 3a 68 2c 6c 69 6e 65 3a 67 2c 6c 69 6e 65 4e 75 6d 62 65 72 3a 67 2c 63 61 3a 6b 2c 65 72 72 6f 72 3a 6c 7d 29 3b 72 65 74 75 72 6e 20 65 7d 7d 2c 74 62 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 76 61 72 20 62 3d 68
                                                      Data Ascii: text__984382={});a.__closure__error__context__984382.severity=b};var qb=function(a,b,c){c=c||q;var d=c.onerror,e=!!b;c.onerror=function(f,h,g,k,l){d&&d(f,h,g,k,l);a({message:f,fileName:h,line:g,lineNumber:g,ca:k,error:l});return e}},tb=function(a){var b=h
                                                      2024-10-02 16:57:07 UTC1969INData Raw: 22 6e 75 6d 62 65 72 22 3a 66 3d 53 74 72 69 6e 67 28 66 29 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 62 6f 6f 6c 65 61 6e 22 3a 66 3d 66 3f 22 74 72 75 65 22 3a 22 66 61 6c 73 65 22 3b 62 72 65 61 6b 3b 63 61 73 65 20 22 66 75 6e 63 74 69 6f 6e 22 3a 66 3d 28 66 3d 73 62 28 66 29 29 3f 66 3a 22 5b 66 6e 5d 22 3b 62 72 65 61 6b 3b 64 65 66 61 75 6c 74 3a 66 3d 0a 74 79 70 65 6f 66 20 66 7d 66 2e 6c 65 6e 67 74 68 3e 34 30 26 26 28 66 3d 66 2e 73 6c 69 63 65 28 30 2c 34 30 29 2b 22 2e 2e 2e 22 29 3b 63 2e 70 75 73 68 28 66 29 7d 62 2e 70 75 73 68 28 61 29 3b 63 2e 70 75 73 68 28 22 29 5c 6e 22 29 3b 74 72 79 7b 63 2e 70 75 73 68 28 77 62 28 61 2e 63 61 6c 6c 65 72 2c 62 29 29 7d 63 61 74 63 68 28 68 29 7b 63 2e 70 75 73 68 28 22 5b 65 78 63 65 70 74 69 6f 6e
                                                      Data Ascii: "number":f=String(f);break;case "boolean":f=f?"true":"false";break;case "function":f=(f=sb(f))?f:"[fn]";break;default:f=typeof f}f.length>40&&(f=f.slice(0,40)+"...");c.push(f)}b.push(a);c.push(")\n");try{c.push(wb(a.caller,b))}catch(h){c.push("[exception


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      7192.168.2.649748142.250.181.2384431460C:\Program Files\Google\Chrome\Application\chrome.exe
                                                      TimestampBytes transferredDirectionData
                                                      2024-10-02 16:57:08 UTC549OUTOPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1
                                                      Host: play.google.com
                                                      Connection: keep-alive
                                                      Accept: */*
                                                      Access-Control-Request-Method: POST
                                                      Access-Control-Request-Headers: x-goog-authuser
                                                      Origin: https://accounts.google.com
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                      Sec-Fetch-Mode: cors
                                                      Sec-Fetch-Site: same-site
                                                      Sec-Fetch-Dest: empty
                                                      Referer: https://accounts.google.com/
                                                      Accept-Encoding: gzip, deflate, br
                                                      Accept-Language: en-US,en;q=0.9
                                                      2024-10-02 16:57:08 UTC520INHTTP/1.1 200 OK
                                                      Access-Control-Allow-Origin: https://accounts.google.com
                                                      Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                      Access-Control-Max-Age: 86400
                                                      Access-Control-Allow-Credentials: true
                                                      Access-Control-Allow-Headers: X-Playlog-Web,authorization,origin,x-goog-authuser
                                                      Content-Type: text/plain; charset=UTF-8
                                                      Date: Wed, 02 Oct 2024 16:57:08 GMT
                                                      Server: Playlog
                                                      Content-Length: 0
                                                      X-XSS-Protection: 0
                                                      X-Frame-Options: SAMEORIGIN
                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                      Connection: close


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      8192.168.2.649746142.250.181.2384431460C:\Program Files\Google\Chrome\Application\chrome.exe
                                                      TimestampBytes transferredDirectionData
                                                      2024-10-02 16:57:08 UTC549OUTOPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/1.1
                                                      Host: play.google.com
                                                      Connection: keep-alive
                                                      Accept: */*
                                                      Access-Control-Request-Method: POST
                                                      Access-Control-Request-Headers: x-goog-authuser
                                                      Origin: https://accounts.google.com
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                      Sec-Fetch-Mode: cors
                                                      Sec-Fetch-Site: same-site
                                                      Sec-Fetch-Dest: empty
                                                      Referer: https://accounts.google.com/
                                                      Accept-Encoding: gzip, deflate, br
                                                      Accept-Language: en-US,en;q=0.9
                                                      2024-10-02 16:57:08 UTC520INHTTP/1.1 200 OK
                                                      Access-Control-Allow-Origin: https://accounts.google.com
                                                      Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                      Access-Control-Max-Age: 86400
                                                      Access-Control-Allow-Credentials: true
                                                      Access-Control-Allow-Headers: X-Playlog-Web,authorization,origin,x-goog-authuser
                                                      Content-Type: text/plain; charset=UTF-8
                                                      Date: Wed, 02 Oct 2024 16:57:08 GMT
                                                      Server: Playlog
                                                      Content-Length: 0
                                                      X-XSS-Protection: 0
                                                      X-Frame-Options: SAMEORIGIN
                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                      Connection: close


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      9192.168.2.649751142.250.181.2384431460C:\Program Files\Google\Chrome\Application\chrome.exe
                                                      TimestampBytes transferredDirectionData
                                                      2024-10-02 16:57:09 UTC1112OUTPOST /log?format=json&hasfast=true&authuser=0 HTTP/1.1
                                                      Host: play.google.com
                                                      Connection: keep-alive
                                                      Content-Length: 519
                                                      sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                      sec-ch-ua-mobile: ?0
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                      sec-ch-ua-arch: "x86"
                                                      Content-Type: application/x-www-form-urlencoded;charset=UTF-8
                                                      sec-ch-ua-full-version: "117.0.5938.134"
                                                      sec-ch-ua-platform-version: "10.0.0"
                                                      X-Goog-AuthUser: 0
                                                      sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134"
                                                      sec-ch-ua-bitness: "64"
                                                      sec-ch-ua-model: ""
                                                      sec-ch-ua-wow64: ?0
                                                      sec-ch-ua-platform: "Windows"
                                                      Accept: */*
                                                      Origin: https://accounts.google.com
                                                      X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIk6HLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc=
                                                      Sec-Fetch-Site: same-site
                                                      Sec-Fetch-Mode: cors
                                                      Sec-Fetch-Dest: empty
                                                      Referer: https://accounts.google.com/
                                                      Accept-Encoding: gzip, deflate, br
                                                      Accept-Language: en-US,en;q=0.9
                                                      2024-10-02 16:57:09 UTC519OUTData Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 34 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 38 38 32 32 36 37 37 38 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c
                                                      Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.134"],[1,0,0,0,0]]],1828,[["1727888226778",null,null,null
                                                      2024-10-02 16:57:09 UTC932INHTTP/1.1 200 OK
                                                      Access-Control-Allow-Origin: https://accounts.google.com
                                                      Cross-Origin-Resource-Policy: cross-origin
                                                      Access-Control-Allow-Credentials: true
                                                      Access-Control-Allow-Headers: X-Playlog-Web
                                                      Set-Cookie: NID=518=Mhua4XOrvSKWnLvppNH5fBqaSVvwefvd4As_OJtLRgbnBocFDbB_gvi0PCLXoDrrKUBfXoeuB42UPq6YOTI3tkTQ4jGiaFrIWF1DzOFT3NoqDKVnARTWb7QMxRTaPL3kwKPsFMJlekxYh2Lmng9tySUsU7Lkx7l1AG5b4_n5WOAMyM9Yhw; expires=Thu, 03-Apr-2025 16:57:09 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none
                                                      P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                      Content-Type: text/plain; charset=UTF-8
                                                      Date: Wed, 02 Oct 2024 16:57:09 GMT
                                                      Server: Playlog
                                                      Cache-Control: private
                                                      X-XSS-Protection: 0
                                                      X-Frame-Options: SAMEORIGIN
                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                      Accept-Ranges: none
                                                      Vary: Accept-Encoding
                                                      Expires: Wed, 02 Oct 2024 16:57:09 GMT
                                                      Connection: close
                                                      Transfer-Encoding: chunked
                                                      2024-10-02 16:57:09 UTC137INData Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a
                                                      Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
                                                      2024-10-02 16:57:09 UTC5INData Raw: 30 0d 0a 0d 0a
                                                      Data Ascii: 0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      10192.168.2.649752142.250.181.2384431460C:\Program Files\Google\Chrome\Application\chrome.exe
                                                      TimestampBytes transferredDirectionData
                                                      2024-10-02 16:57:09 UTC1112OUTPOST /log?format=json&hasfast=true&authuser=0 HTTP/1.1
                                                      Host: play.google.com
                                                      Connection: keep-alive
                                                      Content-Length: 519
                                                      sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                      sec-ch-ua-mobile: ?0
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                      sec-ch-ua-arch: "x86"
                                                      Content-Type: application/x-www-form-urlencoded;charset=UTF-8
                                                      sec-ch-ua-full-version: "117.0.5938.134"
                                                      sec-ch-ua-platform-version: "10.0.0"
                                                      X-Goog-AuthUser: 0
                                                      sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134"
                                                      sec-ch-ua-bitness: "64"
                                                      sec-ch-ua-model: ""
                                                      sec-ch-ua-wow64: ?0
                                                      sec-ch-ua-platform: "Windows"
                                                      Accept: */*
                                                      Origin: https://accounts.google.com
                                                      X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIk6HLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc=
                                                      Sec-Fetch-Site: same-site
                                                      Sec-Fetch-Mode: cors
                                                      Sec-Fetch-Dest: empty
                                                      Referer: https://accounts.google.com/
                                                      Accept-Encoding: gzip, deflate, br
                                                      Accept-Language: en-US,en;q=0.9
                                                      2024-10-02 16:57:09 UTC519OUTData Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 34 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 38 38 32 32 36 36 39 33 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c
                                                      Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.134"],[1,0,0,0,0]]],1828,[["1727888226693",null,null,null
                                                      2024-10-02 16:57:09 UTC933INHTTP/1.1 200 OK
                                                      Access-Control-Allow-Origin: https://accounts.google.com
                                                      Cross-Origin-Resource-Policy: cross-origin
                                                      Access-Control-Allow-Credentials: true
                                                      Access-Control-Allow-Headers: X-Playlog-Web
                                                      Set-Cookie: NID=518=F1GWqozfbGLW9hfGllREsdBgmkpSSfJCQ-I3QDWS0-TqRU5oFuWLSQyP4StB1ojYRFxPzjZekoMvcqzdpLnNEZ8b43v91DeFuT0px3fb4O7dvQwa8weKo-y3XlRqWeQ0IJZSWmYMKV0RBRTFEzA9qsorb5UEZ9iVcoUucGzSgyX-EOxw0Gw; expires=Thu, 03-Apr-2025 16:57:09 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none
                                                      P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                      Content-Type: text/plain; charset=UTF-8
                                                      Date: Wed, 02 Oct 2024 16:57:09 GMT
                                                      Server: Playlog
                                                      Cache-Control: private
                                                      X-XSS-Protection: 0
                                                      X-Frame-Options: SAMEORIGIN
                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                      Accept-Ranges: none
                                                      Vary: Accept-Encoding
                                                      Expires: Wed, 02 Oct 2024 16:57:09 GMT
                                                      Connection: close
                                                      Transfer-Encoding: chunked
                                                      2024-10-02 16:57:09 UTC137INData Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a
                                                      Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
                                                      2024-10-02 16:57:09 UTC5INData Raw: 30 0d 0a 0d 0a
                                                      Data Ascii: 0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      11192.168.2.649722142.250.184.2284431460C:\Program Files\Google\Chrome\Application\chrome.exe
                                                      TimestampBytes transferredDirectionData
                                                      2024-10-02 16:57:09 UTC1202OUTGET /favicon.ico HTTP/1.1
                                                      Host: www.google.com
                                                      Connection: keep-alive
                                                      sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                      sec-ch-ua-mobile: ?0
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                      sec-ch-ua-arch: "x86"
                                                      sec-ch-ua-full-version: "117.0.5938.134"
                                                      sec-ch-ua-platform-version: "10.0.0"
                                                      sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134"
                                                      sec-ch-ua-bitness: "64"
                                                      sec-ch-ua-model: ""
                                                      sec-ch-ua-wow64: ?0
                                                      sec-ch-ua-platform: "Windows"
                                                      Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
                                                      X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIk6HLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc=
                                                      Sec-Fetch-Site: same-site
                                                      Sec-Fetch-Mode: no-cors
                                                      Sec-Fetch-Dest: image
                                                      Referer: https://accounts.google.com/
                                                      Accept-Encoding: gzip, deflate, br
                                                      Accept-Language: en-US,en;q=0.9
                                                      Cookie: NID=518=F1GWqozfbGLW9hfGllREsdBgmkpSSfJCQ-I3QDWS0-TqRU5oFuWLSQyP4StB1ojYRFxPzjZekoMvcqzdpLnNEZ8b43v91DeFuT0px3fb4O7dvQwa8weKo-y3XlRqWeQ0IJZSWmYMKV0RBRTFEzA9qsorb5UEZ9iVcoUucGzSgyX-EOxw0Gw
                                                      2024-10-02 16:57:10 UTC705INHTTP/1.1 200 OK
                                                      Accept-Ranges: bytes
                                                      Cross-Origin-Resource-Policy: cross-origin
                                                      Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="static-on-bigtable"
                                                      Report-To: {"group":"static-on-bigtable","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/static-on-bigtable"}]}
                                                      Content-Length: 5430
                                                      X-Content-Type-Options: nosniff
                                                      Server: sffe
                                                      X-XSS-Protection: 0
                                                      Date: Wed, 02 Oct 2024 15:37:10 GMT
                                                      Expires: Thu, 10 Oct 2024 15:37:10 GMT
                                                      Cache-Control: public, max-age=691200
                                                      Last-Modified: Tue, 22 Oct 2019 18:30:00 GMT
                                                      Content-Type: image/x-icon
                                                      Vary: Accept-Encoding
                                                      Age: 4800
                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                      Connection: close
                                                      2024-10-02 16:57:10 UTC685INData Raw: 00 00 01 00 02 00 10 10 00 00 01 00 20 00 68 04 00 00 26 00 00 00 20 20 00 00 01 00 20 00 a8 10 00 00 8e 04 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 20 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 30 fd fd fd 96 fd fd fd d8 fd fd fd f9 fd fd fd f9 fd fd fd d7 fd fd fd 94 fe fe fe 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd 99 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 95 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 09 fd fd fd c1 ff ff ff ff fa fd f9 ff b4 d9 a7 ff 76 ba 5d ff 58 ab 3a ff 58 aa 3a ff 72 b8 59 ff ac d5 9d ff f8 fb f6 ff ff
                                                      Data Ascii: h& ( 0.v]X:X:rY
                                                      2024-10-02 16:57:10 UTC1390INData Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d8 fd fd fd 99 ff ff ff ff 92 cf fb ff 37 52 ec ff 38 46 ea ff d0 d4 fa ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 96 fe fe fe 32 ff ff ff ff f9 f9 fe ff 56 62 ed ff 35 43 ea ff 3b 49 eb ff 95 9c f4 ff cf d2 fa ff d1 d4 fa ff 96 9d f4 ff 52 5e ed ff e1 e3 fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 30 00 00 00 00 fd fd fd 9d ff ff ff ff e8 ea fd ff 58 63 ee ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 35 43 ea ff 6c 76 f0 ff ff ff ff ff ff ff ff ff fd fd fd 98 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd c3 ff ff ff ff f9 f9 fe ff a5 ac f6 ff 5d 69 ee ff 3c 4a
                                                      Data Ascii: 7R8F2Vb5C;IR^0Xc5C5C5C5C5C5Clv]i<J
                                                      2024-10-02 16:57:10 UTC1390INData Raw: ff ff ff ff ff ff ff ff ff ff ff fd fd fd d0 ff ff ff 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fd fd fd 8b ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff b1 d8 a3 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 60 a5 35 ff ca 8e 3e ff f9 c1 9f ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd 87 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 25 fd fd fd fb ff ff ff ff ff ff ff ff ff ff ff ff c2 e0 b7 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 53 a8 34 ff 6e b6 54 ff 9f ce 8d ff b7 da aa ff b8 db ab ff a5 d2 95 ff 7b bc 64 ff 54 a8 35 ff 53 a8 34 ff 77 a0 37 ff e3 89 41 ff f4 85 42 ff f4 85 42 ff
                                                      Data Ascii: S4S4S4S4S4S4S4S4S4S4S4S4S4S4`5>%S4S4S4S4S4S4nT{dT5S4w7ABB
                                                      2024-10-02 16:57:10 UTC1390INData Raw: ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff f4 85 42 ff fb d5 bf ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd ea fd fd fd cb ff ff ff ff ff ff ff ff ff ff ff ff 46 cd fc ff 05 bc fb ff 05 bc fb ff 05 bc fb ff 21 ae f9 ff fb fb ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd c8 fd fd fd 9c ff ff ff ff ff ff ff ff ff ff ff ff 86 df fd ff 05 bc fb ff 05 bc fb ff 15 93 f5 ff 34 49 eb ff b3 b8 f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                      Data Ascii: BBBBBBF!4I
                                                      2024-10-02 16:57:10 UTC575INData Raw: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd d2 fe fe fe 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 0a fd fd fd 8d fd fd fd fc ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff fd fd fd fb fd fd fd 8b fe fe fe 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe fe fe 27 fd fd fd 9f fd fd fd f7 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                      Data Ascii: $'


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      12192.168.2.6497564.245.163.56443
                                                      TimestampBytes transferredDirectionData
                                                      2024-10-02 16:57:11 UTC306OUTGET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=tGtYDt73AH3hFv3&MD=2lGosxrH HTTP/1.1
                                                      Connection: Keep-Alive
                                                      Accept: */*
                                                      User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33
                                                      Host: slscr.update.microsoft.com
                                                      2024-10-02 16:57:12 UTC560INHTTP/1.1 200 OK
                                                      Cache-Control: no-cache
                                                      Pragma: no-cache
                                                      Content-Type: application/octet-stream
                                                      Expires: -1
                                                      Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT
                                                      ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880"
                                                      MS-CorrelationId: 3812ad5b-18cf-4ebb-a280-50067230f422
                                                      MS-RequestId: cbf7c8e7-aebf-4476-8712-ff71a3c8f872
                                                      MS-CV: IRUa3NbFUkqdkAAO.0
                                                      X-Microsoft-SLSClientCache: 2880
                                                      Content-Disposition: attachment; filename=environment.cab
                                                      X-Content-Type-Options: nosniff
                                                      Date: Wed, 02 Oct 2024 16:57:11 GMT
                                                      Connection: close
                                                      Content-Length: 24490
                                                      2024-10-02 16:57:12 UTC15824INData Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58
                                                      Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
                                                      2024-10-02 16:57:12 UTC8666INData Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31
                                                      Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      13192.168.2.649764142.250.181.2384431460C:\Program Files\Google\Chrome\Application\chrome.exe
                                                      TimestampBytes transferredDirectionData
                                                      2024-10-02 16:57:16 UTC1287OUTPOST /log?format=json&hasfast=true&authuser=0 HTTP/1.1
                                                      Host: play.google.com
                                                      Connection: keep-alive
                                                      Content-Length: 1215
                                                      sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                      sec-ch-ua-mobile: ?0
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                      sec-ch-ua-arch: "x86"
                                                      Content-Type: text/plain;charset=UTF-8
                                                      sec-ch-ua-full-version: "117.0.5938.134"
                                                      sec-ch-ua-platform-version: "10.0.0"
                                                      X-Goog-AuthUser: 0
                                                      sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134"
                                                      sec-ch-ua-bitness: "64"
                                                      sec-ch-ua-model: ""
                                                      sec-ch-ua-wow64: ?0
                                                      sec-ch-ua-platform: "Windows"
                                                      Accept: */*
                                                      Origin: https://accounts.google.com
                                                      X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIk6HLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc=
                                                      Sec-Fetch-Site: same-site
                                                      Sec-Fetch-Mode: cors
                                                      Sec-Fetch-Dest: empty
                                                      Referer: https://accounts.google.com/
                                                      Accept-Encoding: gzip, deflate, br
                                                      Accept-Language: en-US,en;q=0.9
                                                      Cookie: NID=518=F1GWqozfbGLW9hfGllREsdBgmkpSSfJCQ-I3QDWS0-TqRU5oFuWLSQyP4StB1ojYRFxPzjZekoMvcqzdpLnNEZ8b43v91DeFuT0px3fb4O7dvQwa8weKo-y3XlRqWeQ0IJZSWmYMKV0RBRTFEzA9qsorb5UEZ9iVcoUucGzSgyX-EOxw0Gw
                                                      2024-10-02 16:57:16 UTC1215OUTData Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 34 22 5d 2c 5b 34 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 35 35 38 2c 5b 5b 22 31 37 32 37 38 38 38 32 32 34 30 30 30 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c
                                                      Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,null,null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.134"],[4,0,0,0,0]]],558,[["1727888224000",null,null,null,
                                                      2024-10-02 16:57:16 UTC941INHTTP/1.1 200 OK
                                                      Access-Control-Allow-Origin: https://accounts.google.com
                                                      Cross-Origin-Resource-Policy: cross-origin
                                                      Access-Control-Allow-Credentials: true
                                                      Access-Control-Allow-Headers: X-Playlog-Web
                                                      Set-Cookie: NID=518=xk2YEBro0J7KuXBrELGaeLa1QhTVg6z51-sRcWLmE3yff2JGlsLgmP0o6lC9mhg0Z3wMkfTrMuHKwum01xV981AzZftmoom6UTYbtv5xWx5NOnD5w1pTnqQHw8rTTOb-mMxW4ApnAQmF7VOv5YRgkwdZaff9zLQn0XfDVbWdqEx0yv9bKS8IZrDhf-o; expires=Thu, 03-Apr-2025 16:57:16 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none
                                                      P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                      Content-Type: text/plain; charset=UTF-8
                                                      Date: Wed, 02 Oct 2024 16:57:16 GMT
                                                      Server: Playlog
                                                      Cache-Control: private
                                                      X-XSS-Protection: 0
                                                      X-Frame-Options: SAMEORIGIN
                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                      Accept-Ranges: none
                                                      Vary: Accept-Encoding
                                                      Expires: Wed, 02 Oct 2024 16:57:16 GMT
                                                      Connection: close
                                                      Transfer-Encoding: chunked
                                                      2024-10-02 16:57:16 UTC137INData Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a
                                                      Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
                                                      2024-10-02 16:57:16 UTC5INData Raw: 30 0d 0a 0d 0a
                                                      Data Ascii: 0


                                                      Session IDSource IPSource PortDestination IPDestination Port
                                                      14192.168.2.64976540.115.3.253443
                                                      TimestampBytes transferredDirectionData
                                                      2024-10-02 16:57:19 UTC71OUTData Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 57 54 77 2b 33 54 4f 55 58 6b 75 2b 41 32 63 6a 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 38 31 35 38 38 63 35 38 62 32 64 64 62 31 30 34 0d 0a 0d 0a
                                                      Data Ascii: CNT 1 CON 305MS-CV: WTw+3TOUXku+A2cj.1Context: 81588c58b2ddb104
                                                      2024-10-02 16:57:19 UTC249OUTData Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e
                                                      Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
                                                      2024-10-02 16:57:19 UTC1084OUTData Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 57 54 77 2b 33 54 4f 55 58 6b 75 2b 41 32 63 6a 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 38 31 35 38 38 63 35 38 62 32 64 64 62 31 30 34 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 57 75 6a 54 55 75 2b 58 42 70 70 30 76 50 4d 4f 64 6e 50 36 48 75 70 46 71 66 42 55 35 36 35 64 6a 2f 64 46 63 38 67 4e 50 67 48 6d 66 4f 6b 4f 6e 45 7a 79 54 55 53 67 67 2f 32 63 44 6c 64 35 2b 72 64 61 6a 6d 6c 4f 6a 35 44 7a 4d 4f 6b 6f 44 47 43 66 78 44 4e 71 7a 76 51 71 33 4a 30 72 44 59 65 63 77 71 44 48 6b 6f 67 55 4c
                                                      Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: WTw+3TOUXku+A2cj.2Context: 81588c58b2ddb104<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAWujTUu+XBpp0vPMOdnP6HupFqfBU565dj/dFc8gNPgHmfOkOnEzyTUSgg/2cDld5+rdajmlOj5DzMOkoDGCfxDNqzvQq3J0rDYecwqDHkogUL
                                                      2024-10-02 16:57:19 UTC218OUTData Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 57 54 77 2b 33 54 4f 55 58 6b 75 2b 41 32 63 6a 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 38 31 35 38 38 63 35 38 62 32 64 64 62 31 30 34 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e
                                                      Data Ascii: BND 3 CON\WNS 0 197MS-CV: WTw+3TOUXku+A2cj.3Context: 81588c58b2ddb104<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
                                                      2024-10-02 16:57:19 UTC14INData Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a
                                                      Data Ascii: 202 1 CON 58
                                                      2024-10-02 16:57:19 UTC58INData Raw: 4d 53 2d 43 56 3a 20 6a 35 71 5a 38 6f 6a 34 32 45 4f 76 4e 74 76 71 4b 72 79 68 67 67 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e
                                                      Data Ascii: MS-CV: j5qZ8oj42EOvNtvqKryhgg.0Payload parsing failed.


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      15192.168.2.649766142.250.181.2384431460C:\Program Files\Google\Chrome\Application\chrome.exe
                                                      TimestampBytes transferredDirectionData
                                                      2024-10-02 16:57:38 UTC1318OUTPOST /log?format=json&hasfast=true&authuser=0 HTTP/1.1
                                                      Host: play.google.com
                                                      Connection: keep-alive
                                                      Content-Length: 1344
                                                      sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                      sec-ch-ua-mobile: ?0
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                      sec-ch-ua-arch: "x86"
                                                      Content-Type: application/x-www-form-urlencoded;charset=UTF-8
                                                      sec-ch-ua-full-version: "117.0.5938.134"
                                                      sec-ch-ua-platform-version: "10.0.0"
                                                      X-Goog-AuthUser: 0
                                                      sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134"
                                                      sec-ch-ua-bitness: "64"
                                                      sec-ch-ua-model: ""
                                                      sec-ch-ua-wow64: ?0
                                                      sec-ch-ua-platform: "Windows"
                                                      Accept: */*
                                                      Origin: https://accounts.google.com
                                                      X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIk6HLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc=
                                                      Sec-Fetch-Site: same-site
                                                      Sec-Fetch-Mode: cors
                                                      Sec-Fetch-Dest: empty
                                                      Referer: https://accounts.google.com/
                                                      Accept-Encoding: gzip, deflate, br
                                                      Accept-Language: en-US,en;q=0.9
                                                      Cookie: NID=518=xk2YEBro0J7KuXBrELGaeLa1QhTVg6z51-sRcWLmE3yff2JGlsLgmP0o6lC9mhg0Z3wMkfTrMuHKwum01xV981AzZftmoom6UTYbtv5xWx5NOnD5w1pTnqQHw8rTTOb-mMxW4ApnAQmF7VOv5YRgkwdZaff9zLQn0XfDVbWdqEx0yv9bKS8IZrDhf-o
                                                      2024-10-02 16:57:38 UTC1344OUTData Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 34 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 38 38 32 35 36 39 30 39 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c
                                                      Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.134"],[1,0,0,0,0]]],1828,[["1727888256909",null,null,null
                                                      2024-10-02 16:57:38 UTC523INHTTP/1.1 200 OK
                                                      Access-Control-Allow-Origin: https://accounts.google.com
                                                      Cross-Origin-Resource-Policy: cross-origin
                                                      Access-Control-Allow-Credentials: true
                                                      Access-Control-Allow-Headers: X-Playlog-Web
                                                      Content-Type: text/plain; charset=UTF-8
                                                      Date: Wed, 02 Oct 2024 16:57:38 GMT
                                                      Server: Playlog
                                                      Cache-Control: private
                                                      X-XSS-Protection: 0
                                                      X-Frame-Options: SAMEORIGIN
                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                      Accept-Ranges: none
                                                      Vary: Accept-Encoding
                                                      Connection: close
                                                      Transfer-Encoding: chunked
                                                      2024-10-02 16:57:38 UTC137INData Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a
                                                      Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
                                                      2024-10-02 16:57:38 UTC5INData Raw: 30 0d 0a 0d 0a
                                                      Data Ascii: 0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      16192.168.2.649767142.250.181.2384431460C:\Program Files\Google\Chrome\Application\chrome.exe
                                                      TimestampBytes transferredDirectionData
                                                      2024-10-02 16:57:38 UTC1318OUTPOST /log?format=json&hasfast=true&authuser=0 HTTP/1.1
                                                      Host: play.google.com
                                                      Connection: keep-alive
                                                      Content-Length: 1395
                                                      sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                      sec-ch-ua-mobile: ?0
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                      sec-ch-ua-arch: "x86"
                                                      Content-Type: application/x-www-form-urlencoded;charset=UTF-8
                                                      sec-ch-ua-full-version: "117.0.5938.134"
                                                      sec-ch-ua-platform-version: "10.0.0"
                                                      X-Goog-AuthUser: 0
                                                      sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134"
                                                      sec-ch-ua-bitness: "64"
                                                      sec-ch-ua-model: ""
                                                      sec-ch-ua-wow64: ?0
                                                      sec-ch-ua-platform: "Windows"
                                                      Accept: */*
                                                      Origin: https://accounts.google.com
                                                      X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIk6HLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc=
                                                      Sec-Fetch-Site: same-site
                                                      Sec-Fetch-Mode: cors
                                                      Sec-Fetch-Dest: empty
                                                      Referer: https://accounts.google.com/
                                                      Accept-Encoding: gzip, deflate, br
                                                      Accept-Language: en-US,en;q=0.9
                                                      Cookie: NID=518=xk2YEBro0J7KuXBrELGaeLa1QhTVg6z51-sRcWLmE3yff2JGlsLgmP0o6lC9mhg0Z3wMkfTrMuHKwum01xV981AzZftmoom6UTYbtv5xWx5NOnD5w1pTnqQHw8rTTOb-mMxW4ApnAQmF7VOv5YRgkwdZaff9zLQn0XfDVbWdqEx0yv9bKS8IZrDhf-o
                                                      2024-10-02 16:57:38 UTC1395OUTData Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 34 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 38 38 32 35 37 34 35 34 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c
                                                      Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.134"],[1,0,0,0,0]]],1828,[["1727888257454",null,null,null
                                                      2024-10-02 16:57:40 UTC523INHTTP/1.1 200 OK
                                                      Access-Control-Allow-Origin: https://accounts.google.com
                                                      Cross-Origin-Resource-Policy: cross-origin
                                                      Access-Control-Allow-Credentials: true
                                                      Access-Control-Allow-Headers: X-Playlog-Web
                                                      Content-Type: text/plain; charset=UTF-8
                                                      Date: Wed, 02 Oct 2024 16:57:39 GMT
                                                      Server: Playlog
                                                      Cache-Control: private
                                                      X-XSS-Protection: 0
                                                      X-Frame-Options: SAMEORIGIN
                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                      Accept-Ranges: none
                                                      Vary: Accept-Encoding
                                                      Connection: close
                                                      Transfer-Encoding: chunked
                                                      2024-10-02 16:57:40 UTC137INData Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a
                                                      Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
                                                      2024-10-02 16:57:40 UTC5INData Raw: 30 0d 0a 0d 0a
                                                      Data Ascii: 0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      17192.168.2.649768142.250.181.2384431460C:\Program Files\Google\Chrome\Application\chrome.exe
                                                      TimestampBytes transferredDirectionData
                                                      2024-10-02 16:57:40 UTC1277OUTPOST /log?hasfast=true&authuser=0&format=json HTTP/1.1
                                                      Host: play.google.com
                                                      Connection: keep-alive
                                                      Content-Length: 864
                                                      sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                      sec-ch-ua-mobile: ?0
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                      sec-ch-ua-arch: "x86"
                                                      sec-ch-ua-full-version: "117.0.5938.134"
                                                      Content-Type: text/plain;charset=UTF-8
                                                      sec-ch-ua-platform-version: "10.0.0"
                                                      sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134"
                                                      sec-ch-ua-bitness: "64"
                                                      sec-ch-ua-model: ""
                                                      sec-ch-ua-wow64: ?0
                                                      sec-ch-ua-platform: "Windows"
                                                      Accept: */*
                                                      Origin: https://accounts.google.com
                                                      X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIk6HLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc=
                                                      Sec-Fetch-Site: same-site
                                                      Sec-Fetch-Mode: no-cors
                                                      Sec-Fetch-Dest: empty
                                                      Referer: https://accounts.google.com/
                                                      Accept-Encoding: gzip, deflate, br
                                                      Accept-Language: en-US,en;q=0.9
                                                      Cookie: NID=518=xk2YEBro0J7KuXBrELGaeLa1QhTVg6z51-sRcWLmE3yff2JGlsLgmP0o6lC9mhg0Z3wMkfTrMuHKwum01xV981AzZftmoom6UTYbtv5xWx5NOnD5w1pTnqQHw8rTTOb-mMxW4ApnAQmF7VOv5YRgkwdZaff9zLQn0XfDVbWdqEx0yv9bKS8IZrDhf-o
                                                      2024-10-02 16:57:40 UTC864OUTData Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 62 6f 71 5f 69 64 65 6e 74 69 74 79 66 72 6f 6e 74 65 6e 64 61 75 74 68 75 69 73 65 72 76 65 72 5f 32 30 32 34 30 39 32 39 2e 30 37 5f 70 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 34 22 5d 2c 5b 33 2c 30 2c 30
                                                      Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"boq_identityfrontendauthuiserver_20240929.07_p0",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.134"],[3,0,0
                                                      2024-10-02 16:57:40 UTC523INHTTP/1.1 200 OK
                                                      Access-Control-Allow-Origin: https://accounts.google.com
                                                      Cross-Origin-Resource-Policy: cross-origin
                                                      Access-Control-Allow-Credentials: true
                                                      Access-Control-Allow-Headers: X-Playlog-Web
                                                      Content-Type: text/plain; charset=UTF-8
                                                      Date: Wed, 02 Oct 2024 16:57:40 GMT
                                                      Server: Playlog
                                                      Cache-Control: private
                                                      X-XSS-Protection: 0
                                                      X-Frame-Options: SAMEORIGIN
                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                      Accept-Ranges: none
                                                      Vary: Accept-Encoding
                                                      Connection: close
                                                      Transfer-Encoding: chunked
                                                      2024-10-02 16:57:40 UTC137INData Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a
                                                      Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
                                                      2024-10-02 16:57:40 UTC5INData Raw: 30 0d 0a 0d 0a
                                                      Data Ascii: 0


                                                      Session IDSource IPSource PortDestination IPDestination Port
                                                      18192.168.2.64976940.115.3.253443
                                                      TimestampBytes transferredDirectionData
                                                      2024-10-02 16:57:41 UTC71OUTData Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 59 76 44 65 4b 31 38 61 4d 6b 75 6a 2b 61 38 57 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 32 65 38 61 63 64 61 35 31 37 64 38 64 37 30 37 0d 0a 0d 0a
                                                      Data Ascii: CNT 1 CON 305MS-CV: YvDeK18aMkuj+a8W.1Context: 2e8acda517d8d707
                                                      2024-10-02 16:57:41 UTC249OUTData Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e
                                                      Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
                                                      2024-10-02 16:57:41 UTC1084OUTData Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 59 76 44 65 4b 31 38 61 4d 6b 75 6a 2b 61 38 57 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 32 65 38 61 63 64 61 35 31 37 64 38 64 37 30 37 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 57 75 6a 54 55 75 2b 58 42 70 70 30 76 50 4d 4f 64 6e 50 36 48 75 70 46 71 66 42 55 35 36 35 64 6a 2f 64 46 63 38 67 4e 50 67 48 6d 66 4f 6b 4f 6e 45 7a 79 54 55 53 67 67 2f 32 63 44 6c 64 35 2b 72 64 61 6a 6d 6c 4f 6a 35 44 7a 4d 4f 6b 6f 44 47 43 66 78 44 4e 71 7a 76 51 71 33 4a 30 72 44 59 65 63 77 71 44 48 6b 6f 67 55 4c
                                                      Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: YvDeK18aMkuj+a8W.2Context: 2e8acda517d8d707<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAWujTUu+XBpp0vPMOdnP6HupFqfBU565dj/dFc8gNPgHmfOkOnEzyTUSgg/2cDld5+rdajmlOj5DzMOkoDGCfxDNqzvQq3J0rDYecwqDHkogUL
                                                      2024-10-02 16:57:41 UTC218OUTData Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 59 76 44 65 4b 31 38 61 4d 6b 75 6a 2b 61 38 57 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 32 65 38 61 63 64 61 35 31 37 64 38 64 37 30 37 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e
                                                      Data Ascii: BND 3 CON\WNS 0 197MS-CV: YvDeK18aMkuj+a8W.3Context: 2e8acda517d8d707<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
                                                      2024-10-02 16:57:41 UTC14INData Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a
                                                      Data Ascii: 202 1 CON 58
                                                      2024-10-02 16:57:41 UTC58INData Raw: 4d 53 2d 43 56 3a 20 47 6e 31 62 77 44 66 63 67 30 75 31 48 42 73 4f 49 64 6e 6d 34 77 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e
                                                      Data Ascii: MS-CV: Gn1bwDfcg0u1HBsOIdnm4w.0Payload parsing failed.


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      19192.168.2.6497704.245.163.56443
                                                      TimestampBytes transferredDirectionData
                                                      2024-10-02 16:57:49 UTC306OUTGET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=tGtYDt73AH3hFv3&MD=2lGosxrH HTTP/1.1
                                                      Connection: Keep-Alive
                                                      Accept: */*
                                                      User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33
                                                      Host: slscr.update.microsoft.com
                                                      2024-10-02 16:57:49 UTC560INHTTP/1.1 200 OK
                                                      Cache-Control: no-cache
                                                      Pragma: no-cache
                                                      Content-Type: application/octet-stream
                                                      Expires: -1
                                                      Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT
                                                      ETag: "vic+p1MiJJ+/WMnK08jaWnCBGDfvkGRzPk9f8ZadQHg=_1440"
                                                      MS-CorrelationId: 7c0a6c7f-c9f6-4ad8-8d44-bf1fa41355f2
                                                      MS-RequestId: ecc44940-f9d9-4fd4-8a46-7e375b903188
                                                      MS-CV: gIiqKwk8tk2pT7BP.0
                                                      X-Microsoft-SLSClientCache: 1440
                                                      Content-Disposition: attachment; filename=environment.cab
                                                      X-Content-Type-Options: nosniff
                                                      Date: Wed, 02 Oct 2024 16:57:48 GMT
                                                      Connection: close
                                                      Content-Length: 30005
                                                      2024-10-02 16:57:49 UTC15824INData Raw: 4d 53 43 46 00 00 00 00 8d 2b 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 5b 49 00 00 14 00 00 00 00 00 10 00 8d 2b 00 00 a8 49 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 72 4d 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 fe f6 51 be 21 2b 72 4d 43 4b ed 7c 05 58 54 eb da f6 14 43 49 37 0a 02 d2 b9 86 0e 41 52 a4 1b 24 a5 bb 43 24 44 18 94 90 92 52 41 3a 05 09 95 ee 54 b0 00 91 2e e9 12 10 04 11 c9 6f 10 b7 a2 67 9f bd cf 3e ff b7 ff b3 bf 73 ed e1 9a 99 f5 c6 7a d7 bb de f5 3e cf fd 3c f7 dc 17 4a 1a 52 e7 41 a8 97 1e 14 f4 e5 25 7d f4 05 82 82 c1 20 30 08 06 ba c3 05 02 11 7f a9 c1 ff d2 87 5c 1e f4 ed 65 8e 7a 1f f6 0a 40 03 1d 7b f9 83 2c 1c 2f db b8 3a 39 3a 58 38 ba 73 5e
                                                      Data Ascii: MSCF+D[I+IdrMenvironment.cabQ!+rMCK|XTCI7AR$C$DRA:T.og>sz><JRA%} 0\ez@{,/:9:X8s^
                                                      2024-10-02 16:57:49 UTC14181INData Raw: 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 26 30 24 06 03 55 04 03 13 1d 4d 69 63 72 6f 73 6f 66 74 20 54 69 6d 65 2d 53 74 61 6d 70 20 50 43 41 20 32 30 31 30 30 1e 17 0d 32 33 31 30 31 32 31 39 30 37 32 35 5a 17 0d 32 35 30 31 31 30 31 39 30 37 32 35 5a 30 81 d2 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 2d 30 2b 06 03 55 04 0b 13 24 4d 69 63 72 6f
                                                      Data Ascii: UUS10UWashington10URedmond10UMicrosoft Corporation1&0$UMicrosoft Time-Stamp PCA 20100231012190725Z250110190725Z010UUS10UWashington10URedmond10UMicrosoft Corporation1-0+U$Micro


                                                      Session IDSource IPSource PortDestination IPDestination Port
                                                      20192.168.2.64977340.115.3.253443
                                                      TimestampBytes transferredDirectionData
                                                      2024-10-02 16:58:03 UTC71OUTData Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 66 42 47 7a 37 6c 4b 6a 38 45 79 46 66 6b 33 4e 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 31 63 30 61 38 33 63 39 32 30 39 31 65 66 34 37 0d 0a 0d 0a
                                                      Data Ascii: CNT 1 CON 305MS-CV: fBGz7lKj8EyFfk3N.1Context: 1c0a83c92091ef47
                                                      2024-10-02 16:58:03 UTC249OUTData Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e
                                                      Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
                                                      2024-10-02 16:58:03 UTC1084OUTData Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 66 42 47 7a 37 6c 4b 6a 38 45 79 46 66 6b 33 4e 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 31 63 30 61 38 33 63 39 32 30 39 31 65 66 34 37 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 57 75 6a 54 55 75 2b 58 42 70 70 30 76 50 4d 4f 64 6e 50 36 48 75 70 46 71 66 42 55 35 36 35 64 6a 2f 64 46 63 38 67 4e 50 67 48 6d 66 4f 6b 4f 6e 45 7a 79 54 55 53 67 67 2f 32 63 44 6c 64 35 2b 72 64 61 6a 6d 6c 4f 6a 35 44 7a 4d 4f 6b 6f 44 47 43 66 78 44 4e 71 7a 76 51 71 33 4a 30 72 44 59 65 63 77 71 44 48 6b 6f 67 55 4c
                                                      Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: fBGz7lKj8EyFfk3N.2Context: 1c0a83c92091ef47<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAWujTUu+XBpp0vPMOdnP6HupFqfBU565dj/dFc8gNPgHmfOkOnEzyTUSgg/2cDld5+rdajmlOj5DzMOkoDGCfxDNqzvQq3J0rDYecwqDHkogUL
                                                      2024-10-02 16:58:03 UTC218OUTData Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 66 42 47 7a 37 6c 4b 6a 38 45 79 46 66 6b 33 4e 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 31 63 30 61 38 33 63 39 32 30 39 31 65 66 34 37 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e
                                                      Data Ascii: BND 3 CON\WNS 0 197MS-CV: fBGz7lKj8EyFfk3N.3Context: 1c0a83c92091ef47<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
                                                      2024-10-02 16:58:04 UTC14INData Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a
                                                      Data Ascii: 202 1 CON 58
                                                      2024-10-02 16:58:04 UTC58INData Raw: 4d 53 2d 43 56 3a 20 57 64 53 75 39 50 66 39 4f 30 4b 71 4e 67 68 41 48 31 77 65 2b 51 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e
                                                      Data Ascii: MS-CV: WdSu9Pf9O0KqNghAH1we+Q.0Payload parsing failed.


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      21192.168.2.649774142.250.185.1424431460C:\Program Files\Google\Chrome\Application\chrome.exe
                                                      TimestampBytes transferredDirectionData
                                                      2024-10-02 16:58:08 UTC1318OUTPOST /log?format=json&hasfast=true&authuser=0 HTTP/1.1
                                                      Host: play.google.com
                                                      Connection: keep-alive
                                                      Content-Length: 1279
                                                      sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                      sec-ch-ua-mobile: ?0
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                      sec-ch-ua-arch: "x86"
                                                      Content-Type: application/x-www-form-urlencoded;charset=UTF-8
                                                      sec-ch-ua-full-version: "117.0.5938.134"
                                                      sec-ch-ua-platform-version: "10.0.0"
                                                      X-Goog-AuthUser: 0
                                                      sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134"
                                                      sec-ch-ua-bitness: "64"
                                                      sec-ch-ua-model: ""
                                                      sec-ch-ua-wow64: ?0
                                                      sec-ch-ua-platform: "Windows"
                                                      Accept: */*
                                                      Origin: https://accounts.google.com
                                                      X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIk6HLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc=
                                                      Sec-Fetch-Site: same-site
                                                      Sec-Fetch-Mode: cors
                                                      Sec-Fetch-Dest: empty
                                                      Referer: https://accounts.google.com/
                                                      Accept-Encoding: gzip, deflate, br
                                                      Accept-Language: en-US,en;q=0.9
                                                      Cookie: NID=518=xk2YEBro0J7KuXBrELGaeLa1QhTVg6z51-sRcWLmE3yff2JGlsLgmP0o6lC9mhg0Z3wMkfTrMuHKwum01xV981AzZftmoom6UTYbtv5xWx5NOnD5w1pTnqQHw8rTTOb-mMxW4ApnAQmF7VOv5YRgkwdZaff9zLQn0XfDVbWdqEx0yv9bKS8IZrDhf-o
                                                      2024-10-02 16:58:08 UTC1279OUTData Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 34 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 38 38 32 38 37 32 33 35 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c
                                                      Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.134"],[1,0,0,0,0]]],1828,[["1727888287235",null,null,null
                                                      2024-10-02 16:58:09 UTC523INHTTP/1.1 200 OK
                                                      Access-Control-Allow-Origin: https://accounts.google.com
                                                      Cross-Origin-Resource-Policy: cross-origin
                                                      Access-Control-Allow-Credentials: true
                                                      Access-Control-Allow-Headers: X-Playlog-Web
                                                      Content-Type: text/plain; charset=UTF-8
                                                      Date: Wed, 02 Oct 2024 16:58:08 GMT
                                                      Server: Playlog
                                                      Cache-Control: private
                                                      X-XSS-Protection: 0
                                                      X-Frame-Options: SAMEORIGIN
                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                      Accept-Ranges: none
                                                      Vary: Accept-Encoding
                                                      Connection: close
                                                      Transfer-Encoding: chunked
                                                      2024-10-02 16:58:09 UTC137INData Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a
                                                      Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
                                                      2024-10-02 16:58:09 UTC5INData Raw: 30 0d 0a 0d 0a
                                                      Data Ascii: 0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      22192.168.2.649776142.250.185.1424431460C:\Program Files\Google\Chrome\Application\chrome.exe
                                                      TimestampBytes transferredDirectionData
                                                      2024-10-02 16:58:09 UTC1318OUTPOST /log?format=json&hasfast=true&authuser=0 HTTP/1.1
                                                      Host: play.google.com
                                                      Connection: keep-alive
                                                      Content-Length: 1346
                                                      sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                      sec-ch-ua-mobile: ?0
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                      sec-ch-ua-arch: "x86"
                                                      Content-Type: application/x-www-form-urlencoded;charset=UTF-8
                                                      sec-ch-ua-full-version: "117.0.5938.134"
                                                      sec-ch-ua-platform-version: "10.0.0"
                                                      X-Goog-AuthUser: 0
                                                      sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134"
                                                      sec-ch-ua-bitness: "64"
                                                      sec-ch-ua-model: ""
                                                      sec-ch-ua-wow64: ?0
                                                      sec-ch-ua-platform: "Windows"
                                                      Accept: */*
                                                      Origin: https://accounts.google.com
                                                      X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIk6HLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc=
                                                      Sec-Fetch-Site: same-site
                                                      Sec-Fetch-Mode: cors
                                                      Sec-Fetch-Dest: empty
                                                      Referer: https://accounts.google.com/
                                                      Accept-Encoding: gzip, deflate, br
                                                      Accept-Language: en-US,en;q=0.9
                                                      Cookie: NID=518=xk2YEBro0J7KuXBrELGaeLa1QhTVg6z51-sRcWLmE3yff2JGlsLgmP0o6lC9mhg0Z3wMkfTrMuHKwum01xV981AzZftmoom6UTYbtv5xWx5NOnD5w1pTnqQHw8rTTOb-mMxW4ApnAQmF7VOv5YRgkwdZaff9zLQn0XfDVbWdqEx0yv9bKS8IZrDhf-o
                                                      2024-10-02 16:58:09 UTC1346OUTData Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 34 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 38 38 32 38 38 31 39 32 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c
                                                      Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.134"],[1,0,0,0,0]]],1828,[["1727888288192",null,null,null
                                                      2024-10-02 16:58:10 UTC523INHTTP/1.1 200 OK
                                                      Access-Control-Allow-Origin: https://accounts.google.com
                                                      Cross-Origin-Resource-Policy: cross-origin
                                                      Access-Control-Allow-Credentials: true
                                                      Access-Control-Allow-Headers: X-Playlog-Web
                                                      Content-Type: text/plain; charset=UTF-8
                                                      Date: Wed, 02 Oct 2024 16:58:09 GMT
                                                      Server: Playlog
                                                      Cache-Control: private
                                                      X-XSS-Protection: 0
                                                      X-Frame-Options: SAMEORIGIN
                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                      Accept-Ranges: none
                                                      Vary: Accept-Encoding
                                                      Connection: close
                                                      Transfer-Encoding: chunked
                                                      2024-10-02 16:58:10 UTC137INData Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a
                                                      Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
                                                      2024-10-02 16:58:10 UTC5INData Raw: 30 0d 0a 0d 0a
                                                      Data Ascii: 0


                                                      Session IDSource IPSource PortDestination IPDestination Port
                                                      23192.168.2.64977940.115.3.253443
                                                      TimestampBytes transferredDirectionData
                                                      2024-10-02 16:58:29 UTC71OUTData Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 4a 71 69 39 48 31 74 6a 74 30 71 62 4d 39 6f 58 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 35 39 33 65 65 62 64 64 62 35 33 63 39 34 33 38 0d 0a 0d 0a
                                                      Data Ascii: CNT 1 CON 305MS-CV: Jqi9H1tjt0qbM9oX.1Context: 593eebddb53c9438
                                                      2024-10-02 16:58:29 UTC249OUTData Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e
                                                      Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
                                                      2024-10-02 16:58:29 UTC1084OUTData Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 4a 71 69 39 48 31 74 6a 74 30 71 62 4d 39 6f 58 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 35 39 33 65 65 62 64 64 62 35 33 63 39 34 33 38 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 57 75 6a 54 55 75 2b 58 42 70 70 30 76 50 4d 4f 64 6e 50 36 48 75 70 46 71 66 42 55 35 36 35 64 6a 2f 64 46 63 38 67 4e 50 67 48 6d 66 4f 6b 4f 6e 45 7a 79 54 55 53 67 67 2f 32 63 44 6c 64 35 2b 72 64 61 6a 6d 6c 4f 6a 35 44 7a 4d 4f 6b 6f 44 47 43 66 78 44 4e 71 7a 76 51 71 33 4a 30 72 44 59 65 63 77 71 44 48 6b 6f 67 55 4c
                                                      Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: Jqi9H1tjt0qbM9oX.2Context: 593eebddb53c9438<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAWujTUu+XBpp0vPMOdnP6HupFqfBU565dj/dFc8gNPgHmfOkOnEzyTUSgg/2cDld5+rdajmlOj5DzMOkoDGCfxDNqzvQq3J0rDYecwqDHkogUL
                                                      2024-10-02 16:58:29 UTC218OUTData Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 4a 71 69 39 48 31 74 6a 74 30 71 62 4d 39 6f 58 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 35 39 33 65 65 62 64 64 62 35 33 63 39 34 33 38 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e
                                                      Data Ascii: BND 3 CON\WNS 0 197MS-CV: Jqi9H1tjt0qbM9oX.3Context: 593eebddb53c9438<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
                                                      2024-10-02 16:58:29 UTC14INData Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a
                                                      Data Ascii: 202 1 CON 58
                                                      2024-10-02 16:58:29 UTC58INData Raw: 4d 53 2d 43 56 3a 20 78 4c 59 52 4e 6f 65 31 4d 55 53 53 4b 2f 2b 30 58 6e 70 35 6c 77 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e
                                                      Data Ascii: MS-CV: xLYRNoe1MUSSK/+0Xnp5lw.0Payload parsing failed.


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      24192.168.2.649780142.250.185.1424431460C:\Program Files\Google\Chrome\Application\chrome.exe
                                                      TimestampBytes transferredDirectionData
                                                      2024-10-02 16:58:39 UTC1318OUTPOST /log?format=json&hasfast=true&authuser=0 HTTP/1.1
                                                      Host: play.google.com
                                                      Connection: keep-alive
                                                      Content-Length: 1169
                                                      sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                      sec-ch-ua-mobile: ?0
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                      sec-ch-ua-arch: "x86"
                                                      Content-Type: application/x-www-form-urlencoded;charset=UTF-8
                                                      sec-ch-ua-full-version: "117.0.5938.134"
                                                      sec-ch-ua-platform-version: "10.0.0"
                                                      X-Goog-AuthUser: 0
                                                      sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134"
                                                      sec-ch-ua-bitness: "64"
                                                      sec-ch-ua-model: ""
                                                      sec-ch-ua-wow64: ?0
                                                      sec-ch-ua-platform: "Windows"
                                                      Accept: */*
                                                      Origin: https://accounts.google.com
                                                      X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIk6HLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc=
                                                      Sec-Fetch-Site: same-site
                                                      Sec-Fetch-Mode: cors
                                                      Sec-Fetch-Dest: empty
                                                      Referer: https://accounts.google.com/
                                                      Accept-Encoding: gzip, deflate, br
                                                      Accept-Language: en-US,en;q=0.9
                                                      Cookie: NID=518=xk2YEBro0J7KuXBrELGaeLa1QhTVg6z51-sRcWLmE3yff2JGlsLgmP0o6lC9mhg0Z3wMkfTrMuHKwum01xV981AzZftmoom6UTYbtv5xWx5NOnD5w1pTnqQHw8rTTOb-mMxW4ApnAQmF7VOv5YRgkwdZaff9zLQn0XfDVbWdqEx0yv9bKS8IZrDhf-o
                                                      2024-10-02 16:58:39 UTC1169OUTData Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 34 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 38 38 33 31 37 38 34 36 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c
                                                      Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.134"],[1,0,0,0,0]]],1828,[["1727888317846",null,null,null
                                                      2024-10-02 16:58:39 UTC523INHTTP/1.1 200 OK
                                                      Access-Control-Allow-Origin: https://accounts.google.com
                                                      Cross-Origin-Resource-Policy: cross-origin
                                                      Access-Control-Allow-Credentials: true
                                                      Access-Control-Allow-Headers: X-Playlog-Web
                                                      Content-Type: text/plain; charset=UTF-8
                                                      Date: Wed, 02 Oct 2024 16:58:39 GMT
                                                      Server: Playlog
                                                      Cache-Control: private
                                                      X-XSS-Protection: 0
                                                      X-Frame-Options: SAMEORIGIN
                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                      Accept-Ranges: none
                                                      Vary: Accept-Encoding
                                                      Connection: close
                                                      Transfer-Encoding: chunked
                                                      2024-10-02 16:58:39 UTC137INData Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a
                                                      Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
                                                      2024-10-02 16:58:39 UTC5INData Raw: 30 0d 0a 0d 0a
                                                      Data Ascii: 0


                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      25192.168.2.649781142.250.185.1424431460C:\Program Files\Google\Chrome\Application\chrome.exe
                                                      TimestampBytes transferredDirectionData
                                                      2024-10-02 16:58:41 UTC1318OUTPOST /log?format=json&hasfast=true&authuser=0 HTTP/1.1
                                                      Host: play.google.com
                                                      Connection: keep-alive
                                                      Content-Length: 1348
                                                      sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"
                                                      sec-ch-ua-mobile: ?0
                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
                                                      sec-ch-ua-arch: "x86"
                                                      Content-Type: application/x-www-form-urlencoded;charset=UTF-8
                                                      sec-ch-ua-full-version: "117.0.5938.134"
                                                      sec-ch-ua-platform-version: "10.0.0"
                                                      X-Goog-AuthUser: 0
                                                      sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.134", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.134"
                                                      sec-ch-ua-bitness: "64"
                                                      sec-ch-ua-model: ""
                                                      sec-ch-ua-wow64: ?0
                                                      sec-ch-ua-platform: "Windows"
                                                      Accept: */*
                                                      Origin: https://accounts.google.com
                                                      X-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIk6HLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc=
                                                      Sec-Fetch-Site: same-site
                                                      Sec-Fetch-Mode: cors
                                                      Sec-Fetch-Dest: empty
                                                      Referer: https://accounts.google.com/
                                                      Accept-Encoding: gzip, deflate, br
                                                      Accept-Language: en-US,en;q=0.9
                                                      Cookie: NID=518=xk2YEBro0J7KuXBrELGaeLa1QhTVg6z51-sRcWLmE3yff2JGlsLgmP0o6lC9mhg0Z3wMkfTrMuHKwum01xV981AzZftmoom6UTYbtv5xWx5NOnD5w1pTnqQHw8rTTOb-mMxW4ApnAQmF7VOv5YRgkwdZaff9zLQn0XfDVbWdqEx0yv9bKS8IZrDhf-o
                                                      2024-10-02 16:58:41 UTC1348OUTData Raw: 5b 5b 31 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 5b 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 22 65 6e 22 2c 6e 75 6c 6c 2c 22 33 30 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 22 2c 22 31 31 37 22 5d 2c 5b 22 4e 6f 74 3b 41 3d 42 72 61 6e 64 22 2c 22 38 22 5d 2c 5b 22 43 68 72 6f 6d 69 75 6d 22 2c 22 31 31 37 22 5d 5d 2c 30 2c 22 57 69 6e 64 6f 77 73 22 2c 22 31 30 2e 30 2e 30 22 2c 22 78 38 36 22 2c 22 22 2c 22 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 34 22 5d 2c 5b 31 2c 30 2c 30 2c 30 2c 30 5d 5d 5d 2c 31 38 32 38 2c 5b 5b 22 31 37 32 37 38 38 38 33 32 30 35 31 39 22 2c 6e 75 6c 6c 2c 6e 75 6c 6c 2c 6e 75 6c 6c
                                                      Data Ascii: [[1,null,null,null,null,null,null,null,null,null,[null,null,null,null,"en",null,"30",null,[[["Google Chrome","117"],["Not;A=Brand","8"],["Chromium","117"]],0,"Windows","10.0.0","x86","","117.0.5938.134"],[1,0,0,0,0]]],1828,[["1727888320519",null,null,null
                                                      2024-10-02 16:58:42 UTC523INHTTP/1.1 200 OK
                                                      Access-Control-Allow-Origin: https://accounts.google.com
                                                      Cross-Origin-Resource-Policy: cross-origin
                                                      Access-Control-Allow-Credentials: true
                                                      Access-Control-Allow-Headers: X-Playlog-Web
                                                      Content-Type: text/plain; charset=UTF-8
                                                      Date: Wed, 02 Oct 2024 16:58:42 GMT
                                                      Server: Playlog
                                                      Cache-Control: private
                                                      X-XSS-Protection: 0
                                                      X-Frame-Options: SAMEORIGIN
                                                      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                      Accept-Ranges: none
                                                      Vary: Accept-Encoding
                                                      Connection: close
                                                      Transfer-Encoding: chunked
                                                      2024-10-02 16:58:42 UTC137INData Raw: 38 33 0d 0a 5b 22 2d 31 22 2c 6e 75 6c 6c 2c 5b 5b 5b 22 41 4e 44 52 4f 49 44 5f 42 41 43 4b 55 50 22 2c 30 5d 2c 5b 22 42 41 54 54 45 52 59 5f 53 54 41 54 53 22 2c 30 5d 2c 5b 22 53 4d 41 52 54 5f 53 45 54 55 50 22 2c 30 5d 2c 5b 22 54 52 4f 4e 22 2c 30 5d 5d 2c 2d 33 33 33 34 37 33 37 35 39 34 30 32 34 39 37 31 32 32 35 5d 2c 5b 5d 2c 7b 22 31 37 35 32 33 37 33 37 35 22 3a 5b 31 30 30 30 30 5d 7d 5d 0d 0a
                                                      Data Ascii: 83["-1",null,[[["ANDROID_BACKUP",0],["BATTERY_STATS",0],["SMART_SETUP",0],["TRON",0]],-3334737594024971225],[],{"175237375":[10000]}]
                                                      2024-10-02 16:58:42 UTC5INData Raw: 30 0d 0a 0d 0a
                                                      Data Ascii: 0


                                                      Session IDSource IPSource PortDestination IPDestination Port
                                                      26192.168.2.64978340.115.3.253443
                                                      TimestampBytes transferredDirectionData
                                                      2024-10-02 16:59:03 UTC71OUTData Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 6e 6b 36 61 2b 38 57 44 5a 55 4f 46 75 43 63 46 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 37 37 62 64 31 30 32 66 35 39 39 33 64 32 65 31 0d 0a 0d 0a
                                                      Data Ascii: CNT 1 CON 305MS-CV: nk6a+8WDZUOFuCcF.1Context: 77bd102f5993d2e1
                                                      2024-10-02 16:59:03 UTC249OUTData Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e
                                                      Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
                                                      2024-10-02 16:59:03 UTC1084OUTData Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 6e 6b 36 61 2b 38 57 44 5a 55 4f 46 75 43 63 46 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 37 37 62 64 31 30 32 66 35 39 39 33 64 32 65 31 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 57 75 6a 54 55 75 2b 58 42 70 70 30 76 50 4d 4f 64 6e 50 36 48 75 70 46 71 66 42 55 35 36 35 64 6a 2f 64 46 63 38 67 4e 50 67 48 6d 66 4f 6b 4f 6e 45 7a 79 54 55 53 67 67 2f 32 63 44 6c 64 35 2b 72 64 61 6a 6d 6c 4f 6a 35 44 7a 4d 4f 6b 6f 44 47 43 66 78 44 4e 71 7a 76 51 71 33 4a 30 72 44 59 65 63 77 71 44 48 6b 6f 67 55 4c
                                                      Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: nk6a+8WDZUOFuCcF.2Context: 77bd102f5993d2e1<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAWujTUu+XBpp0vPMOdnP6HupFqfBU565dj/dFc8gNPgHmfOkOnEzyTUSgg/2cDld5+rdajmlOj5DzMOkoDGCfxDNqzvQq3J0rDYecwqDHkogUL
                                                      2024-10-02 16:59:03 UTC218OUTData Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 6e 6b 36 61 2b 38 57 44 5a 55 4f 46 75 43 63 46 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 37 37 62 64 31 30 32 66 35 39 39 33 64 32 65 31 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e
                                                      Data Ascii: BND 3 CON\WNS 0 197MS-CV: nk6a+8WDZUOFuCcF.3Context: 77bd102f5993d2e1<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
                                                      2024-10-02 16:59:03 UTC14INData Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a
                                                      Data Ascii: 202 1 CON 58
                                                      2024-10-02 16:59:03 UTC58INData Raw: 4d 53 2d 43 56 3a 20 51 7a 4d 49 33 44 70 71 72 6b 32 55 41 51 51 76 42 74 65 65 36 51 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e
                                                      Data Ascii: MS-CV: QzMI3Dpqrk2UAQQvBtee6Q.0Payload parsing failed.


                                                      Statistics

                                                      CPU Usage

                                                      Click to jump to process

                                                      Memory Usage

                                                      Click to jump to process

                                                      High Level Behavior Distribution

                                                      Click to dive into process behavior distribution

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      General

                                                      Target ID:0
                                                      Start time:12:56:53
                                                      Start date:02/10/2024
                                                      Path:C:\Users\user\Desktop\file.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Users\user\Desktop\file.exe"
                                                      Imagebase:0x540000
                                                      File size:918'528 bytes
                                                      MD5 hash:A58015BC46C585AE2B5C5F865221C456
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:low
                                                      Has exited:true

                                                      General

                                                      Target ID:1
                                                      Start time:12:56:53
                                                      Start date:02/10/2024
                                                      Path:C:\Windows\SysWOW64\taskkill.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:taskkill /F /IM chrome.exe /T
                                                      Imagebase:0xf50000
                                                      File size:74'240 bytes
                                                      MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:moderate
                                                      Has exited:true

                                                      General

                                                      Target ID:2
                                                      Start time:12:56:53
                                                      Start date:02/10/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff66e660000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:4
                                                      Start time:12:56:54
                                                      Start date:02/10/2024
                                                      Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --start-fullscreen --no-first-run --disable-session-crashed-bubble --disable-infobars
                                                      Imagebase:0x7ff684c40000
                                                      File size:3'242'272 bytes
                                                      MD5 hash:5BBFA6CBDF4C254EB368D534F9E23C92
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:false

                                                      General

                                                      Target ID:6
                                                      Start time:12:56:55
                                                      Start date:02/10/2024
                                                      Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2448 --field-trial-handle=2340,i,8720954307453147582,6285804185776578347,262144 /prefetch:8
                                                      Imagebase:0x7ff684c40000
                                                      File size:3'242'272 bytes
                                                      MD5 hash:5BBFA6CBDF4C254EB368D534F9E23C92
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:false

                                                      General

                                                      Target ID:8
                                                      Start time:12:57:06
                                                      Start date:02/10/2024
                                                      Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5416 --field-trial-handle=2340,i,8720954307453147582,6285804185776578347,262144 /prefetch:8
                                                      Imagebase:0x7ff684c40000
                                                      File size:3'242'272 bytes
                                                      MD5 hash:5BBFA6CBDF4C254EB368D534F9E23C92
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:false

                                                      General

                                                      Target ID:9
                                                      Start time:12:57:06
                                                      Start date:02/10/2024
                                                      Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5460 --field-trial-handle=2340,i,8720954307453147582,6285804185776578347,262144 /prefetch:8
                                                      Imagebase:0x7ff684c40000
                                                      File size:3'242'272 bytes
                                                      MD5 hash:5BBFA6CBDF4C254EB368D534F9E23C92
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      Disassembly

                                                      Reset < >

                                                        Execution Graph

                                                        Execution Coverage:2.2%
                                                        Dynamic/Decrypted Code Coverage:0%
                                                        Signature Coverage:10.5%
                                                        Total number of Nodes:1727
                                                        Total number of Limit Nodes:61
                                                        execution_graph 94437 543156 94440 543170 94437->94440 94441 543187 94440->94441 94442 5431e9 94441->94442 94443 54318c 94441->94443 94444 5431eb 94441->94444 94445 5431d0 DefWindowProcW 94442->94445 94448 543265 PostQuitMessage 94443->94448 94449 543199 94443->94449 94446 582dfb 94444->94446 94447 5431f1 94444->94447 94450 54316a 94445->94450 94499 5418e2 10 API calls 94446->94499 94451 54321d SetTimer RegisterWindowMessageW 94447->94451 94452 5431f8 94447->94452 94448->94450 94454 5431a4 94449->94454 94455 582e7c 94449->94455 94451->94450 94459 543246 CreatePopupMenu 94451->94459 94456 582d9c 94452->94456 94457 543201 KillTimer 94452->94457 94460 582e68 94454->94460 94461 5431ae 94454->94461 94512 5abf30 34 API calls ___scrt_fastfail 94455->94512 94463 582da1 94456->94463 94464 582dd7 MoveWindow 94456->94464 94485 5430f2 94457->94485 94458 582e1c 94500 55e499 42 API calls 94458->94500 94459->94450 94489 5ac161 94460->94489 94468 582e4d 94461->94468 94469 5431b9 94461->94469 94471 582dc6 SetFocus 94463->94471 94472 582da7 94463->94472 94464->94450 94468->94445 94511 5a0ad7 22 API calls 94468->94511 94474 5431c4 94469->94474 94475 543253 94469->94475 94470 582e8e 94470->94445 94470->94450 94471->94450 94472->94474 94476 582db0 94472->94476 94474->94445 94482 5430f2 Shell_NotifyIconW 94474->94482 94497 54326f 44 API calls ___scrt_fastfail 94475->94497 94498 5418e2 10 API calls 94476->94498 94481 543263 94481->94450 94483 582e41 94482->94483 94501 543837 94483->94501 94486 543154 94485->94486 94487 543104 ___scrt_fastfail 94485->94487 94496 543c50 DeleteObject DestroyWindow 94486->94496 94488 543123 Shell_NotifyIconW 94487->94488 94488->94486 94490 5ac179 ___scrt_fastfail 94489->94490 94491 5ac276 94489->94491 94513 543923 94490->94513 94491->94450 94493 5ac25f KillTimer SetTimer 94493->94491 94494 5ac1a0 94494->94493 94495 5ac251 Shell_NotifyIconW 94494->94495 94495->94493 94496->94450 94497->94481 94498->94450 94499->94458 94500->94474 94502 543862 ___scrt_fastfail 94501->94502 94625 544212 94502->94625 94505 5438e8 94507 543906 Shell_NotifyIconW 94505->94507 94508 583386 Shell_NotifyIconW 94505->94508 94509 543923 24 API calls 94507->94509 94510 54391c 94509->94510 94510->94442 94511->94442 94512->94470 94514 543a13 94513->94514 94515 54393f 94513->94515 94514->94494 94535 546270 94515->94535 94518 583393 LoadStringW 94521 5833ad 94518->94521 94519 54395a 94540 546b57 94519->94540 94529 543994 ___scrt_fastfail 94521->94529 94553 54a8c7 22 API calls __fread_nolock 94521->94553 94522 54396f 94523 5833c9 94522->94523 94524 54397c 94522->94524 94554 546350 22 API calls 94523->94554 94524->94521 94525 543986 94524->94525 94552 546350 22 API calls 94525->94552 94532 5439f9 Shell_NotifyIconW 94529->94532 94530 5833d7 94530->94529 94555 5433c6 94530->94555 94532->94514 94533 5833f9 94534 5433c6 22 API calls 94533->94534 94534->94529 94564 55fe0b 94535->94564 94537 546295 94574 55fddb 94537->94574 94539 54394d 94539->94518 94539->94519 94541 546b67 _wcslen 94540->94541 94542 584ba1 94540->94542 94545 546ba2 94541->94545 94546 546b7d 94541->94546 94600 5493b2 94542->94600 94544 584baa 94544->94544 94548 55fddb 22 API calls 94545->94548 94599 546f34 22 API calls 94546->94599 94550 546bae 94548->94550 94549 546b85 __fread_nolock 94549->94522 94551 55fe0b 22 API calls 94550->94551 94551->94549 94552->94529 94553->94529 94554->94530 94556 5830bb 94555->94556 94557 5433dd 94555->94557 94559 55fddb 22 API calls 94556->94559 94610 5433ee 94557->94610 94561 5830c5 _wcslen 94559->94561 94560 5433e8 94560->94533 94562 55fe0b 22 API calls 94561->94562 94563 5830fe __fread_nolock 94562->94563 94566 55fddb 94564->94566 94567 55fdfa 94566->94567 94570 55fdfc 94566->94570 94584 56ea0c 94566->94584 94591 564ead 7 API calls 2 library calls 94566->94591 94567->94537 94569 56066d 94593 5632a4 RaiseException 94569->94593 94570->94569 94592 5632a4 RaiseException 94570->94592 94573 56068a 94573->94537 94576 55fde0 94574->94576 94575 56ea0c ___std_exception_copy 21 API calls 94575->94576 94576->94575 94577 55fdfa 94576->94577 94580 55fdfc 94576->94580 94596 564ead 7 API calls 2 library calls 94576->94596 94577->94539 94579 56066d 94598 5632a4 RaiseException 94579->94598 94580->94579 94597 5632a4 RaiseException 94580->94597 94583 56068a 94583->94539 94586 573820 _abort 94584->94586 94585 57385e 94595 56f2d9 20 API calls __dosmaperr 94585->94595 94586->94585 94588 573849 RtlAllocateHeap 94586->94588 94594 564ead 7 API calls 2 library calls 94586->94594 94588->94586 94589 57385c 94588->94589 94589->94566 94591->94566 94592->94569 94593->94573 94594->94586 94595->94589 94596->94576 94597->94579 94598->94583 94599->94549 94601 5493c0 94600->94601 94602 5493c9 __fread_nolock 94600->94602 94601->94602 94604 54aec9 94601->94604 94602->94544 94602->94602 94605 54aedc 94604->94605 94609 54aed9 __fread_nolock 94604->94609 94606 55fddb 22 API calls 94605->94606 94607 54aee7 94606->94607 94608 55fe0b 22 API calls 94607->94608 94608->94609 94609->94602 94611 5433fe _wcslen 94610->94611 94612 58311d 94611->94612 94613 543411 94611->94613 94615 55fddb 22 API calls 94612->94615 94620 54a587 94613->94620 94617 583127 94615->94617 94616 54341e __fread_nolock 94616->94560 94618 55fe0b 22 API calls 94617->94618 94619 583157 __fread_nolock 94618->94619 94621 54a59d 94620->94621 94624 54a598 __fread_nolock 94620->94624 94622 55fe0b 22 API calls 94621->94622 94623 58f80f 94621->94623 94622->94624 94623->94623 94624->94616 94626 5438b7 94625->94626 94627 5835a4 94625->94627 94626->94505 94629 5ac874 42 API calls _strftime 94626->94629 94627->94626 94628 5835ad DestroyIcon 94627->94628 94628->94626 94629->94505 94630 542e37 94709 54a961 94630->94709 94634 542e6b 94728 543a5a 94634->94728 94636 542e7f 94735 549cb3 94636->94735 94641 582cb0 94781 5b2cf9 94641->94781 94642 542ead 94763 54a8c7 22 API calls __fread_nolock 94642->94763 94644 582cc3 94645 582ccf 94644->94645 94807 544f39 94644->94807 94651 544f39 68 API calls 94645->94651 94648 542ec3 94764 546f88 22 API calls 94648->94764 94650 542ecf 94652 549cb3 22 API calls 94650->94652 94653 582ce5 94651->94653 94654 542edc 94652->94654 94813 543084 22 API calls 94653->94813 94765 54a81b 41 API calls 94654->94765 94657 542eec 94659 549cb3 22 API calls 94657->94659 94658 582d02 94814 543084 22 API calls 94658->94814 94661 542f12 94659->94661 94766 54a81b 41 API calls 94661->94766 94662 582d1e 94664 543a5a 24 API calls 94662->94664 94665 582d44 94664->94665 94815 543084 22 API calls 94665->94815 94666 542f21 94668 54a961 22 API calls 94666->94668 94670 542f3f 94668->94670 94669 582d50 94816 54a8c7 22 API calls __fread_nolock 94669->94816 94767 543084 22 API calls 94670->94767 94673 582d5e 94817 543084 22 API calls 94673->94817 94674 542f4b 94768 564a28 40 API calls 3 library calls 94674->94768 94677 582d6d 94818 54a8c7 22 API calls __fread_nolock 94677->94818 94678 542f59 94678->94653 94679 542f63 94678->94679 94769 564a28 40 API calls 3 library calls 94679->94769 94682 582d83 94819 543084 22 API calls 94682->94819 94683 542f6e 94683->94658 94685 542f78 94683->94685 94770 564a28 40 API calls 3 library calls 94685->94770 94686 582d90 94688 542f83 94688->94662 94689 542f8d 94688->94689 94771 564a28 40 API calls 3 library calls 94689->94771 94691 542f98 94692 542fdc 94691->94692 94772 543084 22 API calls 94691->94772 94692->94677 94693 542fe8 94692->94693 94693->94686 94775 5463eb 22 API calls 94693->94775 94695 542fbf 94773 54a8c7 22 API calls __fread_nolock 94695->94773 94698 542ff8 94776 546a50 22 API calls 94698->94776 94699 542fcd 94774 543084 22 API calls 94699->94774 94702 543006 94777 5470b0 23 API calls 94702->94777 94706 543021 94707 543065 94706->94707 94778 546f88 22 API calls 94706->94778 94779 5470b0 23 API calls 94706->94779 94780 543084 22 API calls 94706->94780 94710 55fe0b 22 API calls 94709->94710 94711 54a976 94710->94711 94712 55fddb 22 API calls 94711->94712 94713 542e4d 94712->94713 94714 544ae3 94713->94714 94715 544af0 __wsopen_s 94714->94715 94716 546b57 22 API calls 94715->94716 94717 544b22 94715->94717 94716->94717 94727 544b58 94717->94727 94820 544c6d 94717->94820 94719 549cb3 22 API calls 94723 544c52 94719->94723 94720 544c5e 94720->94634 94721 544c29 94721->94719 94721->94720 94722 549cb3 22 API calls 94722->94727 94724 54515f 22 API calls 94723->94724 94724->94720 94726 544c6d 22 API calls 94726->94727 94727->94721 94727->94722 94727->94726 94823 54515f 94727->94823 94829 581f50 94728->94829 94731 549cb3 22 API calls 94732 543a8d 94731->94732 94831 543aa2 94732->94831 94734 543a97 94734->94636 94736 549cc2 _wcslen 94735->94736 94737 55fe0b 22 API calls 94736->94737 94738 549cea __fread_nolock 94737->94738 94739 55fddb 22 API calls 94738->94739 94740 542e8c 94739->94740 94741 544ecb 94740->94741 94851 544e90 LoadLibraryA 94741->94851 94746 544ef6 LoadLibraryExW 94859 544e59 LoadLibraryA 94746->94859 94747 583ccf 94749 544f39 68 API calls 94747->94749 94751 583cd6 94749->94751 94753 544e59 3 API calls 94751->94753 94755 583cde 94753->94755 94754 544f20 94754->94755 94756 544f2c 94754->94756 94881 5450f5 40 API calls __fread_nolock 94755->94881 94757 544f39 68 API calls 94756->94757 94759 542ea5 94757->94759 94759->94641 94759->94642 94760 583cf5 94882 5b28fe 27 API calls 94760->94882 94762 583d05 94763->94648 94764->94650 94765->94657 94766->94666 94767->94674 94768->94678 94769->94683 94770->94688 94771->94691 94772->94695 94773->94699 94774->94692 94775->94698 94776->94702 94777->94706 94778->94706 94779->94706 94780->94706 94782 5b2d15 94781->94782 94965 54511f 64 API calls 94782->94965 94784 5b2d29 94966 5b2e66 75 API calls 94784->94966 94786 5b2d3b 94805 5b2d3f 94786->94805 94967 5450f5 40 API calls __fread_nolock 94786->94967 94788 5b2d56 94968 5450f5 40 API calls __fread_nolock 94788->94968 94790 5b2d66 94969 5450f5 40 API calls __fread_nolock 94790->94969 94792 5b2d81 94970 5450f5 40 API calls __fread_nolock 94792->94970 94794 5b2d9c 94971 54511f 64 API calls 94794->94971 94796 5b2db3 94797 56ea0c ___std_exception_copy 21 API calls 94796->94797 94798 5b2dba 94797->94798 94799 56ea0c ___std_exception_copy 21 API calls 94798->94799 94800 5b2dc4 94799->94800 94972 5450f5 40 API calls __fread_nolock 94800->94972 94802 5b2dd8 94973 5b28fe 27 API calls 94802->94973 94804 5b2dee 94804->94805 94974 5b22ce 79 API calls 94804->94974 94805->94644 94808 544f43 94807->94808 94809 544f4a 94807->94809 94975 56e678 94808->94975 94811 544f59 94809->94811 94812 544f6a FreeLibrary 94809->94812 94811->94645 94812->94811 94813->94658 94814->94662 94815->94669 94816->94673 94817->94677 94818->94682 94819->94686 94821 54aec9 22 API calls 94820->94821 94822 544c78 94821->94822 94822->94717 94824 54516e 94823->94824 94828 54518f __fread_nolock 94823->94828 94826 55fe0b 22 API calls 94824->94826 94825 55fddb 22 API calls 94827 5451a2 94825->94827 94826->94828 94827->94727 94828->94825 94830 543a67 GetModuleFileNameW 94829->94830 94830->94731 94832 581f50 __wsopen_s 94831->94832 94833 543aaf GetFullPathNameW 94832->94833 94834 543ace 94833->94834 94835 543ae9 94833->94835 94837 546b57 22 API calls 94834->94837 94845 54a6c3 94835->94845 94838 543ada 94837->94838 94841 5437a0 94838->94841 94842 5437ae 94841->94842 94843 5493b2 22 API calls 94842->94843 94844 5437c2 94843->94844 94844->94734 94846 54a6d0 94845->94846 94847 54a6dd 94845->94847 94846->94838 94848 55fddb 22 API calls 94847->94848 94849 54a6e7 94848->94849 94850 55fe0b 22 API calls 94849->94850 94850->94846 94852 544ec6 94851->94852 94853 544ea8 GetProcAddress 94851->94853 94856 56e5eb 94852->94856 94854 544eb8 94853->94854 94854->94852 94855 544ebf FreeLibrary 94854->94855 94855->94852 94883 56e52a 94856->94883 94858 544eea 94858->94746 94858->94747 94860 544e8d 94859->94860 94861 544e6e GetProcAddress 94859->94861 94864 544f80 94860->94864 94862 544e7e 94861->94862 94862->94860 94863 544e86 FreeLibrary 94862->94863 94863->94860 94865 55fe0b 22 API calls 94864->94865 94866 544f95 94865->94866 94951 545722 94866->94951 94868 544fa1 __fread_nolock 94869 5450a5 94868->94869 94870 583d1d 94868->94870 94880 544fdc 94868->94880 94954 5442a2 CreateStreamOnHGlobal 94869->94954 94962 5b304d 74 API calls 94870->94962 94873 583d22 94963 54511f 64 API calls 94873->94963 94876 583d45 94964 5450f5 40 API calls __fread_nolock 94876->94964 94879 54506e ISource 94879->94754 94880->94873 94880->94879 94960 5450f5 40 API calls __fread_nolock 94880->94960 94961 54511f 64 API calls 94880->94961 94881->94760 94882->94762 94886 56e536 CallCatchBlock 94883->94886 94884 56e544 94908 56f2d9 20 API calls __dosmaperr 94884->94908 94886->94884 94888 56e574 94886->94888 94887 56e549 94909 5727ec 26 API calls pre_c_initialization 94887->94909 94890 56e586 94888->94890 94891 56e579 94888->94891 94900 578061 94890->94900 94910 56f2d9 20 API calls __dosmaperr 94891->94910 94894 56e58f 94895 56e595 94894->94895 94896 56e5a2 94894->94896 94911 56f2d9 20 API calls __dosmaperr 94895->94911 94912 56e5d4 LeaveCriticalSection __fread_nolock 94896->94912 94898 56e554 __fread_nolock 94898->94858 94901 57806d CallCatchBlock 94900->94901 94913 572f5e EnterCriticalSection 94901->94913 94903 57807b 94914 5780fb 94903->94914 94907 5780ac __fread_nolock 94907->94894 94908->94887 94909->94898 94910->94898 94911->94898 94912->94898 94913->94903 94915 57811e 94914->94915 94916 578177 94915->94916 94923 578088 94915->94923 94930 56918d EnterCriticalSection 94915->94930 94931 5691a1 LeaveCriticalSection 94915->94931 94932 574c7d 94916->94932 94921 578189 94921->94923 94945 573405 11 API calls 2 library calls 94921->94945 94927 5780b7 94923->94927 94924 5781a8 94946 56918d EnterCriticalSection 94924->94946 94950 572fa6 LeaveCriticalSection 94927->94950 94929 5780be 94929->94907 94930->94915 94931->94915 94937 574c8a _abort 94932->94937 94933 574cca 94948 56f2d9 20 API calls __dosmaperr 94933->94948 94934 574cb5 RtlAllocateHeap 94935 574cc8 94934->94935 94934->94937 94939 5729c8 94935->94939 94937->94933 94937->94934 94947 564ead 7 API calls 2 library calls 94937->94947 94940 5729d3 RtlFreeHeap 94939->94940 94944 5729fc __dosmaperr 94939->94944 94941 5729e8 94940->94941 94940->94944 94949 56f2d9 20 API calls __dosmaperr 94941->94949 94943 5729ee GetLastError 94943->94944 94944->94921 94945->94924 94946->94923 94947->94937 94948->94935 94949->94943 94950->94929 94952 55fddb 22 API calls 94951->94952 94953 545734 94952->94953 94953->94868 94955 5442bc FindResourceExW 94954->94955 94959 5442d9 94954->94959 94956 5835ba LoadResource 94955->94956 94955->94959 94957 5835cf SizeofResource 94956->94957 94956->94959 94958 5835e3 LockResource 94957->94958 94957->94959 94958->94959 94959->94880 94960->94880 94961->94880 94962->94873 94963->94876 94964->94879 94965->94784 94966->94786 94967->94788 94968->94790 94969->94792 94970->94794 94971->94796 94972->94802 94973->94804 94974->94805 94976 56e684 CallCatchBlock 94975->94976 94977 56e695 94976->94977 94978 56e6aa 94976->94978 95005 56f2d9 20 API calls __dosmaperr 94977->95005 94987 56e6a5 __fread_nolock 94978->94987 94988 56918d EnterCriticalSection 94978->94988 94981 56e69a 95006 5727ec 26 API calls pre_c_initialization 94981->95006 94982 56e6c6 94989 56e602 94982->94989 94985 56e6d1 95007 56e6ee LeaveCriticalSection __fread_nolock 94985->95007 94987->94809 94988->94982 94990 56e624 94989->94990 94991 56e60f 94989->94991 94996 56e61f 94990->94996 95008 56dc0b 94990->95008 95040 56f2d9 20 API calls __dosmaperr 94991->95040 94993 56e614 95041 5727ec 26 API calls pre_c_initialization 94993->95041 94996->94985 95001 56e646 95025 57862f 95001->95025 95004 5729c8 _free 20 API calls 95004->94996 95005->94981 95006->94987 95007->94987 95009 56dc23 95008->95009 95013 56dc1f 95008->95013 95010 56d955 __fread_nolock 26 API calls 95009->95010 95009->95013 95011 56dc43 95010->95011 95042 5759be 62 API calls 5 library calls 95011->95042 95014 574d7a 95013->95014 95015 56e640 95014->95015 95016 574d90 95014->95016 95018 56d955 95015->95018 95016->95015 95017 5729c8 _free 20 API calls 95016->95017 95017->95015 95019 56d976 95018->95019 95020 56d961 95018->95020 95019->95001 95043 56f2d9 20 API calls __dosmaperr 95020->95043 95022 56d966 95044 5727ec 26 API calls pre_c_initialization 95022->95044 95024 56d971 95024->95001 95026 578653 95025->95026 95027 57863e 95025->95027 95028 57868e 95026->95028 95032 57867a 95026->95032 95048 56f2c6 20 API calls __dosmaperr 95027->95048 95050 56f2c6 20 API calls __dosmaperr 95028->95050 95031 578643 95049 56f2d9 20 API calls __dosmaperr 95031->95049 95045 578607 95032->95045 95033 578693 95051 56f2d9 20 API calls __dosmaperr 95033->95051 95037 56e64c 95037->94996 95037->95004 95038 57869b 95052 5727ec 26 API calls pre_c_initialization 95038->95052 95040->94993 95041->94996 95042->95013 95043->95022 95044->95024 95053 578585 95045->95053 95047 57862b 95047->95037 95048->95031 95049->95037 95050->95033 95051->95038 95052->95037 95054 578591 CallCatchBlock 95053->95054 95064 575147 EnterCriticalSection 95054->95064 95056 57859f 95057 5785c6 95056->95057 95058 5785d1 95056->95058 95065 5786ae 95057->95065 95080 56f2d9 20 API calls __dosmaperr 95058->95080 95061 5785cc 95081 5785fb LeaveCriticalSection __wsopen_s 95061->95081 95063 5785ee __fread_nolock 95063->95047 95064->95056 95082 5753c4 95065->95082 95067 5786c4 95095 575333 21 API calls 2 library calls 95067->95095 95068 5786be 95068->95067 95069 5786f6 95068->95069 95071 5753c4 __wsopen_s 26 API calls 95068->95071 95069->95067 95072 5753c4 __wsopen_s 26 API calls 95069->95072 95074 5786ed 95071->95074 95075 578702 CloseHandle 95072->95075 95073 57871c 95076 57873e 95073->95076 95096 56f2a3 20 API calls __dosmaperr 95073->95096 95077 5753c4 __wsopen_s 26 API calls 95074->95077 95075->95067 95078 57870e GetLastError 95075->95078 95076->95061 95077->95069 95078->95067 95080->95061 95081->95063 95083 5753d1 95082->95083 95085 5753e6 95082->95085 95097 56f2c6 20 API calls __dosmaperr 95083->95097 95088 57540b 95085->95088 95099 56f2c6 20 API calls __dosmaperr 95085->95099 95087 5753d6 95098 56f2d9 20 API calls __dosmaperr 95087->95098 95088->95068 95089 575416 95100 56f2d9 20 API calls __dosmaperr 95089->95100 95092 5753de 95092->95068 95093 57541e 95101 5727ec 26 API calls pre_c_initialization 95093->95101 95095->95073 95096->95076 95097->95087 95098->95092 95099->95089 95100->95093 95101->95092 95102 541033 95107 544c91 95102->95107 95106 541042 95108 54a961 22 API calls 95107->95108 95109 544cff 95108->95109 95115 543af0 95109->95115 95112 544d9c 95113 541038 95112->95113 95118 5451f7 22 API calls __fread_nolock 95112->95118 95114 5600a3 29 API calls __onexit 95113->95114 95114->95106 95119 543b1c 95115->95119 95118->95112 95120 543b0f 95119->95120 95121 543b29 95119->95121 95120->95112 95121->95120 95122 543b30 RegOpenKeyExW 95121->95122 95122->95120 95123 543b4a RegQueryValueExW 95122->95123 95124 543b80 RegCloseKey 95123->95124 95125 543b6b 95123->95125 95124->95120 95125->95124 95126 5d2a55 95134 5b1ebc 95126->95134 95129 5d2a87 95130 5d2a70 95136 5a39c0 22 API calls 95130->95136 95132 5d2a7c 95137 5a417d 22 API calls __fread_nolock 95132->95137 95135 5b1ec3 IsWindow 95134->95135 95135->95129 95135->95130 95136->95132 95137->95129 95138 54dddc 95141 54b710 95138->95141 95142 54b72b 95141->95142 95143 5900f8 95142->95143 95144 590146 95142->95144 95171 54b750 95142->95171 95147 590102 95143->95147 95150 59010f 95143->95150 95143->95171 95207 5c58a2 377 API calls 2 library calls 95144->95207 95205 5c5d33 377 API calls 95147->95205 95163 54ba20 95150->95163 95206 5c61d0 377 API calls 2 library calls 95150->95206 95154 54bbe0 40 API calls 95154->95171 95155 5903d9 95155->95155 95157 54ba4e 95159 590322 95220 5c5c0c 82 API calls 95159->95220 95163->95157 95221 5b359c 82 API calls __wsopen_s 95163->95221 95167 55d336 40 API calls 95167->95171 95171->95154 95171->95157 95171->95159 95171->95163 95171->95167 95172 54ec40 95171->95172 95196 54a81b 41 API calls 95171->95196 95197 55d2f0 40 API calls 95171->95197 95198 55a01b 377 API calls 95171->95198 95199 560242 5 API calls __Init_thread_wait 95171->95199 95200 55edcd 22 API calls 95171->95200 95201 5600a3 29 API calls __onexit 95171->95201 95202 5601f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 95171->95202 95203 55ee53 82 API calls 95171->95203 95204 55e5ca 377 API calls 95171->95204 95208 54aceb 95171->95208 95218 59f6bf 23 API calls 95171->95218 95219 54a8c7 22 API calls __fread_nolock 95171->95219 95194 54ec76 ISource 95172->95194 95173 55fddb 22 API calls 95173->95194 95174 560242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 95174->95194 95176 54fef7 95188 54ed9d ISource 95176->95188 95225 54a8c7 22 API calls __fread_nolock 95176->95225 95178 594b0b 95227 5b359c 82 API calls __wsopen_s 95178->95227 95179 54a8c7 22 API calls 95179->95194 95180 594600 95180->95188 95224 54a8c7 22 API calls __fread_nolock 95180->95224 95186 54fbe3 95186->95188 95189 594bdc 95186->95189 95195 54f3ae ISource 95186->95195 95187 54a961 22 API calls 95187->95194 95188->95171 95228 5b359c 82 API calls __wsopen_s 95189->95228 95190 5600a3 29 API calls pre_c_initialization 95190->95194 95192 5601f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 95192->95194 95193 594beb 95229 5b359c 82 API calls __wsopen_s 95193->95229 95194->95173 95194->95174 95194->95176 95194->95178 95194->95179 95194->95180 95194->95186 95194->95187 95194->95188 95194->95190 95194->95192 95194->95193 95194->95195 95222 5501e0 377 API calls 2 library calls 95194->95222 95223 5506a0 41 API calls ISource 95194->95223 95195->95188 95226 5b359c 82 API calls __wsopen_s 95195->95226 95196->95171 95197->95171 95198->95171 95199->95171 95200->95171 95201->95171 95202->95171 95203->95171 95204->95171 95205->95150 95206->95163 95207->95171 95209 54acf9 95208->95209 95217 54ad2a ISource 95208->95217 95210 54ad55 95209->95210 95212 54ad01 ISource 95209->95212 95210->95217 95230 54a8c7 22 API calls __fread_nolock 95210->95230 95213 58fa48 95212->95213 95214 54ad21 95212->95214 95212->95217 95213->95217 95231 55ce17 22 API calls ISource 95213->95231 95215 58fa3a VariantClear 95214->95215 95214->95217 95215->95217 95217->95171 95218->95171 95219->95171 95220->95163 95221->95155 95222->95194 95223->95194 95224->95188 95225->95188 95226->95188 95227->95188 95228->95193 95229->95188 95230->95217 95231->95217 95232 54f7bf 95233 54fcb6 95232->95233 95234 54f7d3 95232->95234 95235 54aceb 23 API calls 95233->95235 95236 54fcc2 95234->95236 95238 55fddb 22 API calls 95234->95238 95235->95236 95237 54aceb 23 API calls 95236->95237 95241 54fd3d 95237->95241 95239 54f7e5 95238->95239 95239->95236 95240 54f83e 95239->95240 95239->95241 95265 54ed9d ISource 95240->95265 95267 551310 95240->95267 95328 5b1155 22 API calls 95241->95328 95245 54fef7 95245->95265 95330 54a8c7 22 API calls __fread_nolock 95245->95330 95246 55fddb 22 API calls 95264 54ec76 ISource 95246->95264 95248 594b0b 95332 5b359c 82 API calls __wsopen_s 95248->95332 95249 54a8c7 22 API calls 95249->95264 95250 594600 95250->95265 95329 54a8c7 22 API calls __fread_nolock 95250->95329 95254 560242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 95254->95264 95257 54fbe3 95260 594bdc 95257->95260 95257->95265 95266 54f3ae ISource 95257->95266 95258 54a961 22 API calls 95258->95264 95259 5600a3 29 API calls pre_c_initialization 95259->95264 95333 5b359c 82 API calls __wsopen_s 95260->95333 95262 594beb 95334 5b359c 82 API calls __wsopen_s 95262->95334 95263 5601f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 95263->95264 95264->95245 95264->95246 95264->95248 95264->95249 95264->95250 95264->95254 95264->95257 95264->95258 95264->95259 95264->95262 95264->95263 95264->95265 95264->95266 95326 5501e0 377 API calls 2 library calls 95264->95326 95327 5506a0 41 API calls ISource 95264->95327 95266->95265 95331 5b359c 82 API calls __wsopen_s 95266->95331 95268 551376 95267->95268 95269 5517b0 95267->95269 95270 551390 95268->95270 95271 596331 95268->95271 95420 560242 5 API calls __Init_thread_wait 95269->95420 95335 551940 95270->95335 95424 5c709c 377 API calls 95271->95424 95275 5517ba 95278 5517fb 95275->95278 95280 549cb3 22 API calls 95275->95280 95277 59633d 95277->95264 95282 596346 95278->95282 95284 55182c 95278->95284 95279 551940 9 API calls 95281 5513b6 95279->95281 95287 5517d4 95280->95287 95281->95278 95283 5513ec 95281->95283 95425 5b359c 82 API calls __wsopen_s 95282->95425 95283->95282 95307 551408 __fread_nolock 95283->95307 95286 54aceb 23 API calls 95284->95286 95288 551839 95286->95288 95421 5601f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 95287->95421 95422 55d217 377 API calls 95288->95422 95291 59636e 95426 5b359c 82 API calls __wsopen_s 95291->95426 95292 55152f 95294 5963d1 95292->95294 95295 55153c 95292->95295 95428 5c5745 54 API calls _wcslen 95294->95428 95297 551940 9 API calls 95295->95297 95298 551549 95297->95298 95302 5964fa 95298->95302 95304 551940 9 API calls 95298->95304 95299 55fddb 22 API calls 95299->95307 95300 551872 95423 55faeb 23 API calls 95300->95423 95301 55fe0b 22 API calls 95301->95307 95311 596369 95302->95311 95430 5b359c 82 API calls __wsopen_s 95302->95430 95309 551563 95304->95309 95306 54ec40 377 API calls 95306->95307 95307->95288 95307->95291 95307->95292 95307->95299 95307->95301 95307->95306 95308 5963b2 95307->95308 95307->95311 95427 5b359c 82 API calls __wsopen_s 95308->95427 95309->95302 95314 5515c7 ISource 95309->95314 95429 54a8c7 22 API calls __fread_nolock 95309->95429 95311->95264 95313 551940 9 API calls 95313->95314 95314->95300 95314->95302 95314->95311 95314->95313 95315 55167b ISource 95314->95315 95345 5d13b7 95314->95345 95356 5d1eda 95314->95356 95384 5cab67 95314->95384 95387 5d2658 95314->95387 95397 5cabf7 95314->95397 95402 5b5c5a 95314->95402 95407 55f645 95314->95407 95414 5d28ab 95314->95414 95316 55171d 95315->95316 95419 55ce17 22 API calls ISource 95315->95419 95316->95264 95326->95264 95327->95264 95328->95265 95329->95265 95330->95265 95331->95265 95332->95265 95333->95262 95334->95265 95336 551981 95335->95336 95337 55195d 95335->95337 95431 560242 5 API calls __Init_thread_wait 95336->95431 95344 5513a0 95337->95344 95433 560242 5 API calls __Init_thread_wait 95337->95433 95339 55198b 95339->95337 95432 5601f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 95339->95432 95342 558727 95342->95344 95434 5601f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 95342->95434 95344->95279 95435 5d2ad8 95345->95435 95347 5d13cb 95348 5d1418 GetForegroundWindow 95347->95348 95353 5d13da 95347->95353 95349 5d142a 95348->95349 95350 5d1435 95348->95350 95352 5ae97b 5 API calls 95349->95352 95445 55f98e GetForegroundWindow 95350->95445 95352->95350 95353->95314 95354 5d1442 95458 5ae97b 95354->95458 95357 55fe0b 22 API calls 95356->95357 95358 5d1ef2 95357->95358 95359 545722 22 API calls 95358->95359 95360 5d1efd 95359->95360 95496 549c6e 95360->95496 95363 546b57 22 API calls 95364 5d1f27 95363->95364 95365 547510 53 API calls 95364->95365 95368 5d1f31 95364->95368 95366 5d1f49 95365->95366 95510 5462b5 22 API calls 95366->95510 95380 5d1f8d ISource 95368->95380 95512 5463eb 22 API calls 95368->95512 95369 5d1f57 95369->95368 95371 547510 53 API calls 95369->95371 95373 5d1f6c 95371->95373 95372 5d1fe2 95513 546a50 22 API calls 95372->95513 95373->95368 95511 54a8c7 22 API calls __fread_nolock 95373->95511 95375 5d1ff2 95514 5470b0 23 API calls 95375->95514 95378 5d2013 95379 5d202e GetWindowTextW 95378->95379 95378->95380 95382 549cb3 22 API calls 95378->95382 95383 5470b0 23 API calls 95378->95383 95381 55fddb 22 API calls 95379->95381 95380->95314 95381->95378 95382->95378 95383->95378 95515 5caff9 95384->95515 95388 5d2ad8 54 API calls 95387->95388 95389 5d2669 95388->95389 95390 54b567 39 API calls 95389->95390 95396 5d2678 95389->95396 95391 5d26c1 95390->95391 95392 5d26cc 95391->95392 95393 5d26dd ShowWindow 95391->95393 95640 5a3a6d EnableWindow 95392->95640 95395 5ae97b 5 API calls 95393->95395 95395->95396 95396->95314 95398 5caff9 217 API calls 95397->95398 95400 5cac0c 95398->95400 95399 5cac54 95399->95314 95400->95399 95401 54aceb 23 API calls 95400->95401 95401->95399 95403 547510 53 API calls 95402->95403 95404 5b5c6d 95403->95404 95641 5adbbe lstrlenW 95404->95641 95406 5b5c77 95406->95314 95408 54b567 39 API calls 95407->95408 95409 55f659 95408->95409 95410 55f661 timeGetTime 95409->95410 95411 59f2dc Sleep 95409->95411 95412 54b567 39 API calls 95410->95412 95413 55f677 95412->95413 95413->95314 95646 5d2b30 95414->95646 95416 5d28b9 95417 54aceb 23 API calls 95416->95417 95418 5d2901 95417->95418 95418->95314 95419->95315 95420->95275 95421->95278 95422->95300 95423->95300 95424->95277 95425->95311 95426->95311 95427->95311 95428->95309 95429->95314 95430->95311 95431->95339 95432->95337 95433->95342 95434->95344 95436 54aceb 23 API calls 95435->95436 95437 5d2af3 95436->95437 95438 5d2b1d 95437->95438 95439 5d2aff 95437->95439 95440 546b57 22 API calls 95438->95440 95468 547510 95439->95468 95442 5d2b1b 95440->95442 95442->95347 95446 55f9a8 95445->95446 95447 59f467 95445->95447 95446->95354 95448 59f47c IsIconic 95447->95448 95449 59f46e FindWindowW 95447->95449 95450 59f490 SetForegroundWindow 95448->95450 95451 59f487 ShowWindow 95448->95451 95449->95448 95452 59f56b 95450->95452 95453 59f4a2 7 API calls 95450->95453 95451->95450 95454 59f4eb 9 API calls 95453->95454 95456 59f547 95453->95456 95455 59f543 95454->95455 95455->95456 95457 59f54f AttachThreadInput AttachThreadInput AttachThreadInput 95455->95457 95456->95457 95457->95452 95459 5ae988 95458->95459 95460 5ae9f9 95458->95460 95461 5ae98a Sleep 95459->95461 95463 5ae993 QueryPerformanceCounter 95459->95463 95460->95353 95461->95460 95463->95461 95464 5ae9a1 QueryPerformanceFrequency 95463->95464 95465 5ae9ab Sleep QueryPerformanceCounter 95464->95465 95466 5ae9ec 95465->95466 95466->95465 95467 5ae9f0 95466->95467 95467->95460 95469 547525 95468->95469 95485 547522 95468->95485 95470 54752d 95469->95470 95471 54755b 95469->95471 95492 5651c6 26 API calls 95470->95492 95472 5850f6 95471->95472 95475 58500f 95471->95475 95476 54756d 95471->95476 95495 565183 26 API calls 95472->95495 95484 55fe0b 22 API calls 95475->95484 95490 585088 95475->95490 95493 55fb21 51 API calls 95476->95493 95477 54753d 95480 55fddb 22 API calls 95477->95480 95478 58510e 95478->95478 95482 547547 95480->95482 95483 549cb3 22 API calls 95482->95483 95483->95485 95486 585058 95484->95486 95485->95442 95491 54a8c7 22 API calls __fread_nolock 95485->95491 95487 55fddb 22 API calls 95486->95487 95488 58507f 95487->95488 95489 549cb3 22 API calls 95488->95489 95489->95490 95494 55fb21 51 API calls 95490->95494 95491->95442 95492->95477 95493->95477 95494->95472 95495->95478 95497 549c7e 95496->95497 95498 58f545 95496->95498 95503 55fddb 22 API calls 95497->95503 95499 58f556 95498->95499 95501 546b57 22 API calls 95498->95501 95500 54a6c3 22 API calls 95499->95500 95502 58f560 95500->95502 95501->95499 95502->95502 95504 549c91 95503->95504 95505 549cac 95504->95505 95506 549c9a 95504->95506 95508 54a961 22 API calls 95505->95508 95507 549cb3 22 API calls 95506->95507 95509 549ca2 95507->95509 95508->95509 95509->95363 95510->95369 95511->95368 95512->95372 95513->95375 95514->95378 95516 5cb01d ___scrt_fastfail 95515->95516 95517 5cb058 95516->95517 95518 5cb094 95516->95518 95613 54b567 95517->95613 95520 54b567 39 API calls 95518->95520 95525 5cb08b 95518->95525 95524 5cb0a5 95520->95524 95521 5cb063 95521->95525 95528 54b567 39 API calls 95521->95528 95522 5cb0ed 95523 547510 53 API calls 95522->95523 95526 5cb10b 95523->95526 95527 54b567 39 API calls 95524->95527 95525->95522 95529 54b567 39 API calls 95525->95529 95606 547620 95526->95606 95527->95525 95531 5cb078 95528->95531 95529->95522 95533 54b567 39 API calls 95531->95533 95532 5cb115 95534 5cb11f 95532->95534 95535 5cb1d8 95532->95535 95533->95525 95536 547510 53 API calls 95534->95536 95537 5cb20a GetCurrentDirectoryW 95535->95537 95540 547510 53 API calls 95535->95540 95538 5cb130 95536->95538 95539 55fe0b 22 API calls 95537->95539 95542 547620 22 API calls 95538->95542 95543 5cb22f GetCurrentDirectoryW 95539->95543 95541 5cb1ef 95540->95541 95544 547620 22 API calls 95541->95544 95545 5cb13a 95542->95545 95546 5cb23c 95543->95546 95547 5cb1f9 _wcslen 95544->95547 95548 547510 53 API calls 95545->95548 95550 5cb275 95546->95550 95552 549c6e 22 API calls 95546->95552 95547->95537 95547->95550 95549 5cb14b 95548->95549 95551 547620 22 API calls 95549->95551 95555 5cb28b 95550->95555 95556 5cb287 95550->95556 95553 5cb155 95551->95553 95554 5cb255 95552->95554 95557 547510 53 API calls 95553->95557 95558 549c6e 22 API calls 95554->95558 95618 5b07c0 10 API calls 95555->95618 95565 5cb2f8 95556->95565 95566 5cb39a CreateProcessW 95556->95566 95560 5cb166 95557->95560 95561 5cb265 95558->95561 95562 547620 22 API calls 95560->95562 95563 549c6e 22 API calls 95561->95563 95567 5cb170 95562->95567 95563->95550 95564 5cb294 95619 5b06e6 10 API calls 95564->95619 95621 5a11c8 39 API calls 95565->95621 95583 5cb32f _wcslen 95566->95583 95571 5cb1a6 GetSystemDirectoryW 95567->95571 95575 547510 53 API calls 95567->95575 95570 5cb2fd 95573 5cb32a 95570->95573 95574 5cb323 95570->95574 95577 55fe0b 22 API calls 95571->95577 95572 5cb2aa 95620 5b05a7 8 API calls 95572->95620 95623 5a14ce 6 API calls 95573->95623 95622 5a1201 128 API calls 2 library calls 95574->95622 95579 5cb187 95575->95579 95582 5cb1cb GetSystemDirectoryW 95577->95582 95585 547620 22 API calls 95579->95585 95581 5cb2d0 95581->95556 95582->95546 95587 5cb42f CloseHandle 95583->95587 95588 5cb3d6 GetLastError 95583->95588 95584 5cb328 95584->95583 95586 5cb191 _wcslen 95585->95586 95586->95546 95586->95571 95589 5cb43f 95587->95589 95597 5cb49a 95587->95597 95596 5cb41a 95588->95596 95591 5cb446 CloseHandle 95589->95591 95592 5cb451 95589->95592 95591->95592 95594 5cb458 CloseHandle 95592->95594 95595 5cb463 95592->95595 95593 5cb4a6 95593->95596 95594->95595 95598 5cb46a CloseHandle 95595->95598 95599 5cb475 95595->95599 95610 5b0175 95596->95610 95597->95593 95603 5cb4d2 CloseHandle 95597->95603 95598->95599 95624 5b09d9 34 API calls 95599->95624 95602 5cb486 95625 5cb536 25 API calls 95602->95625 95603->95596 95607 54762a _wcslen 95606->95607 95608 55fe0b 22 API calls 95607->95608 95609 54763f 95608->95609 95609->95532 95626 5b030f 95610->95626 95614 54b578 95613->95614 95615 54b57f 95613->95615 95614->95615 95639 5662d1 39 API calls _strftime 95614->95639 95615->95521 95617 54b5c2 95617->95521 95618->95564 95619->95572 95620->95581 95621->95570 95622->95584 95623->95583 95624->95602 95625->95597 95627 5b0329 95626->95627 95628 5b0321 CloseHandle 95626->95628 95629 5b032e CloseHandle 95627->95629 95630 5b0336 95627->95630 95628->95627 95629->95630 95631 5b033b CloseHandle 95630->95631 95632 5b0343 95630->95632 95631->95632 95633 5b0348 CloseHandle 95632->95633 95634 5b0350 95632->95634 95633->95634 95635 5b035d 95634->95635 95636 5b0355 CloseHandle 95634->95636 95637 5b017d 95635->95637 95638 5b0362 CloseHandle 95635->95638 95636->95635 95637->95314 95638->95637 95639->95617 95640->95396 95642 5adbdc GetFileAttributesW 95641->95642 95643 5adc06 95641->95643 95642->95643 95644 5adbe8 FindFirstFileW 95642->95644 95643->95406 95644->95643 95645 5adbf9 FindClose 95644->95645 95645->95643 95647 5d2ad8 54 API calls 95646->95647 95648 5d2b40 95647->95648 95649 5d2b51 timeGetTime 95648->95649 95650 54b567 39 API calls 95648->95650 95649->95416 95650->95649 95652 541098 95657 5442de 95652->95657 95656 5410a7 95658 54a961 22 API calls 95657->95658 95659 5442f5 GetVersionExW 95658->95659 95660 546b57 22 API calls 95659->95660 95661 544342 95660->95661 95662 5493b2 22 API calls 95661->95662 95666 544378 95661->95666 95663 54436c 95662->95663 95665 5437a0 22 API calls 95663->95665 95664 54441b GetCurrentProcess IsWow64Process 95667 544437 95664->95667 95665->95666 95666->95664 95672 5837df 95666->95672 95668 54444f LoadLibraryA 95667->95668 95669 583824 GetSystemInfo 95667->95669 95670 544460 GetProcAddress 95668->95670 95671 54449c GetSystemInfo 95668->95671 95670->95671 95673 544470 GetNativeSystemInfo 95670->95673 95674 544476 95671->95674 95673->95674 95675 54109d 95674->95675 95676 54447a FreeLibrary 95674->95676 95677 5600a3 29 API calls __onexit 95675->95677 95676->95675 95677->95656 95678 593f75 95689 55ceb1 95678->95689 95680 593f8b 95688 594006 95680->95688 95756 55e300 23 API calls 95680->95756 95683 594052 95686 594a88 95683->95686 95758 5b359c 82 API calls __wsopen_s 95683->95758 95685 593fe6 95685->95683 95757 5b1abf 22 API calls 95685->95757 95698 54bf40 95688->95698 95690 55ced2 95689->95690 95691 55cebf 95689->95691 95693 55cf05 95690->95693 95694 55ced7 95690->95694 95692 54aceb 23 API calls 95691->95692 95697 55cec9 95692->95697 95696 54aceb 23 API calls 95693->95696 95695 55fddb 22 API calls 95694->95695 95695->95697 95696->95697 95697->95680 95759 54adf0 95698->95759 95700 54bf9d 95701 54bfa9 95700->95701 95702 5904b6 95700->95702 95704 5904c6 95701->95704 95705 54c01e 95701->95705 95777 5b359c 82 API calls __wsopen_s 95702->95777 95778 5b359c 82 API calls __wsopen_s 95704->95778 95764 54ac91 95705->95764 95709 54c7da 95712 55fe0b 22 API calls 95709->95712 95718 54c808 __fread_nolock 95712->95718 95714 5904f5 95719 59055a 95714->95719 95779 55d217 377 API calls 95714->95779 95717 54af8a 22 API calls 95754 54c039 ISource __fread_nolock 95717->95754 95721 55fe0b 22 API calls 95718->95721 95744 54c603 95719->95744 95780 5b359c 82 API calls __wsopen_s 95719->95780 95720 54ec40 377 API calls 95720->95754 95745 54c350 ISource __fread_nolock 95721->95745 95722 5a7120 22 API calls 95722->95754 95723 59091a 95789 5b3209 23 API calls 95723->95789 95726 5908a5 95727 54ec40 377 API calls 95726->95727 95728 5908cf 95727->95728 95728->95744 95787 54a81b 41 API calls 95728->95787 95730 590591 95781 5b359c 82 API calls __wsopen_s 95730->95781 95734 5908f6 95788 5b359c 82 API calls __wsopen_s 95734->95788 95736 54bbe0 40 API calls 95736->95754 95737 54c3ac 95737->95683 95738 54aceb 23 API calls 95738->95754 95739 55fddb 22 API calls 95739->95754 95740 54c237 95741 54c253 95740->95741 95790 54a8c7 22 API calls __fread_nolock 95740->95790 95746 590976 95741->95746 95750 54c297 ISource 95741->95750 95742 55fe0b 22 API calls 95742->95754 95744->95683 95745->95737 95776 55ce17 22 API calls ISource 95745->95776 95748 54aceb 23 API calls 95746->95748 95749 5909bf 95748->95749 95749->95744 95791 5b359c 82 API calls __wsopen_s 95749->95791 95750->95749 95751 54aceb 23 API calls 95750->95751 95752 54c335 95751->95752 95752->95749 95753 54c342 95752->95753 95775 54a704 22 API calls ISource 95753->95775 95754->95709 95754->95714 95754->95717 95754->95718 95754->95719 95754->95720 95754->95722 95754->95723 95754->95726 95754->95730 95754->95734 95754->95736 95754->95738 95754->95739 95754->95740 95754->95742 95754->95744 95754->95749 95768 54ad81 95754->95768 95782 5a7099 22 API calls __fread_nolock 95754->95782 95783 5c5745 54 API calls _wcslen 95754->95783 95784 55aa42 22 API calls ISource 95754->95784 95785 5af05c 40 API calls 95754->95785 95786 54a993 41 API calls 95754->95786 95756->95685 95757->95688 95758->95686 95760 54ae01 95759->95760 95763 54ae1c ISource 95759->95763 95761 54aec9 22 API calls 95760->95761 95762 54ae09 CharUpperBuffW 95761->95762 95762->95763 95763->95700 95766 54acae 95764->95766 95765 54acd1 95765->95754 95766->95765 95792 5b359c 82 API calls __wsopen_s 95766->95792 95769 58fadb 95768->95769 95770 54ad92 95768->95770 95771 55fddb 22 API calls 95770->95771 95772 54ad99 95771->95772 95793 54adcd 95772->95793 95775->95745 95776->95745 95777->95704 95778->95744 95779->95719 95780->95744 95781->95744 95782->95754 95783->95754 95784->95754 95785->95754 95786->95754 95787->95734 95788->95744 95789->95740 95790->95741 95791->95744 95792->95765 95799 54addd 95793->95799 95794 54adb6 95794->95754 95795 55fddb 22 API calls 95795->95799 95796 54a961 22 API calls 95796->95799 95798 54adcd 22 API calls 95798->95799 95799->95794 95799->95795 95799->95796 95799->95798 95800 54a8c7 22 API calls __fread_nolock 95799->95800 95800->95799 95801 5603fb 95802 560407 CallCatchBlock 95801->95802 95830 55feb1 95802->95830 95804 56040e 95805 560561 95804->95805 95808 560438 95804->95808 95860 56083f IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 95805->95860 95807 560568 95853 564e52 95807->95853 95818 560477 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 95808->95818 95841 57247d 95808->95841 95815 560457 95817 5604d8 95849 560959 95817->95849 95818->95817 95856 564e1a 38 API calls 2 library calls 95818->95856 95821 5604de 95822 5604f3 95821->95822 95857 560992 GetModuleHandleW 95822->95857 95824 5604fa 95824->95807 95825 5604fe 95824->95825 95826 560507 95825->95826 95858 564df5 28 API calls _abort 95825->95858 95859 560040 13 API calls 2 library calls 95826->95859 95829 56050f 95829->95815 95831 55feba 95830->95831 95862 560698 IsProcessorFeaturePresent 95831->95862 95833 55fec6 95863 562c94 10 API calls 3 library calls 95833->95863 95835 55fecb 95840 55fecf 95835->95840 95864 572317 95835->95864 95838 55fee6 95838->95804 95840->95804 95843 572494 95841->95843 95842 560a8c _ValidateLocalCookies 5 API calls 95844 560451 95842->95844 95843->95842 95844->95815 95845 572421 95844->95845 95846 572450 95845->95846 95847 560a8c _ValidateLocalCookies 5 API calls 95846->95847 95848 572479 95847->95848 95848->95818 95923 562340 95849->95923 95852 56097f 95852->95821 95925 564bcf 95853->95925 95856->95817 95857->95824 95858->95826 95859->95829 95860->95807 95862->95833 95863->95835 95868 57d1f6 95864->95868 95867 562cbd 8 API calls 3 library calls 95867->95840 95869 57d213 95868->95869 95870 57d20f 95868->95870 95869->95870 95874 574bfb 95869->95874 95886 560a8c 95870->95886 95872 55fed8 95872->95838 95872->95867 95875 574c07 CallCatchBlock 95874->95875 95893 572f5e EnterCriticalSection 95875->95893 95877 574c0e 95894 5750af 95877->95894 95879 574c1d 95880 574c2c 95879->95880 95907 574a8f 29 API calls 95879->95907 95909 574c48 LeaveCriticalSection _abort 95880->95909 95883 574c27 95908 574b45 GetStdHandle GetFileType 95883->95908 95884 574c3d __fread_nolock 95884->95869 95887 560a97 IsProcessorFeaturePresent 95886->95887 95888 560a95 95886->95888 95890 560c5d 95887->95890 95888->95872 95922 560c21 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 95890->95922 95892 560d40 95892->95872 95893->95877 95895 5750bb CallCatchBlock 95894->95895 95896 5750df 95895->95896 95897 5750c8 95895->95897 95910 572f5e EnterCriticalSection 95896->95910 95918 56f2d9 20 API calls __dosmaperr 95897->95918 95900 5750cd 95919 5727ec 26 API calls pre_c_initialization 95900->95919 95902 575117 95920 57513e LeaveCriticalSection _abort 95902->95920 95903 5750d7 __fread_nolock 95903->95879 95906 5750eb 95906->95902 95911 575000 95906->95911 95907->95883 95908->95880 95909->95884 95910->95906 95912 574c7d _abort 20 API calls 95911->95912 95913 575012 95912->95913 95917 57501f 95913->95917 95921 573405 11 API calls 2 library calls 95913->95921 95914 5729c8 _free 20 API calls 95915 575071 95914->95915 95915->95906 95917->95914 95918->95900 95919->95903 95920->95903 95921->95913 95922->95892 95924 56096c GetStartupInfoW 95923->95924 95924->95852 95926 564bdb _abort 95925->95926 95927 564bf4 95926->95927 95928 564be2 95926->95928 95949 572f5e EnterCriticalSection 95927->95949 95964 564d29 GetModuleHandleW 95928->95964 95931 564be7 95931->95927 95965 564d6d GetModuleHandleExW 95931->95965 95932 564c99 95953 564cd9 95932->95953 95937 564c70 95939 564c88 95937->95939 95944 572421 _abort 5 API calls 95937->95944 95938 564bfb 95938->95932 95938->95937 95950 5721a8 95938->95950 95945 572421 _abort 5 API calls 95939->95945 95940 564cb6 95956 564ce8 95940->95956 95941 564ce2 95973 581d29 5 API calls _ValidateLocalCookies 95941->95973 95944->95939 95945->95932 95949->95938 95974 571ee1 95950->95974 95993 572fa6 LeaveCriticalSection 95953->95993 95955 564cb2 95955->95940 95955->95941 95994 57360c 95956->95994 95959 564d16 95962 564d6d _abort 8 API calls 95959->95962 95960 564cf6 GetPEB 95960->95959 95961 564d06 GetCurrentProcess TerminateProcess 95960->95961 95961->95959 95963 564d1e ExitProcess 95962->95963 95964->95931 95966 564d97 GetProcAddress 95965->95966 95967 564dba 95965->95967 95972 564dac 95966->95972 95968 564dc0 FreeLibrary 95967->95968 95969 564dc9 95967->95969 95968->95969 95970 560a8c _ValidateLocalCookies 5 API calls 95969->95970 95971 564bf3 95970->95971 95971->95927 95972->95967 95977 571e90 95974->95977 95976 571f05 95976->95937 95978 571e9c CallCatchBlock 95977->95978 95985 572f5e EnterCriticalSection 95978->95985 95980 571eaa 95986 571f31 95980->95986 95984 571ec8 __fread_nolock 95984->95976 95985->95980 95989 571f59 95986->95989 95990 571f51 95986->95990 95987 560a8c _ValidateLocalCookies 5 API calls 95988 571eb7 95987->95988 95992 571ed5 LeaveCriticalSection _abort 95988->95992 95989->95990 95991 5729c8 _free 20 API calls 95989->95991 95990->95987 95991->95990 95992->95984 95993->95955 95995 573627 95994->95995 95996 573631 95994->95996 95998 560a8c _ValidateLocalCookies 5 API calls 95995->95998 96001 572fd7 5 API calls 2 library calls 95996->96001 95999 564cf2 95998->95999 95999->95959 95999->95960 96000 573648 96000->95995 96001->96000 96002 54105b 96007 54344d 96002->96007 96004 54106a 96038 5600a3 29 API calls __onexit 96004->96038 96006 541074 96008 54345d __wsopen_s 96007->96008 96009 54a961 22 API calls 96008->96009 96010 543513 96009->96010 96011 543a5a 24 API calls 96010->96011 96012 54351c 96011->96012 96039 543357 96012->96039 96015 5433c6 22 API calls 96016 543535 96015->96016 96017 54515f 22 API calls 96016->96017 96018 543544 96017->96018 96019 54a961 22 API calls 96018->96019 96020 54354d 96019->96020 96021 54a6c3 22 API calls 96020->96021 96022 543556 RegOpenKeyExW 96021->96022 96023 583176 RegQueryValueExW 96022->96023 96027 543578 96022->96027 96024 58320c RegCloseKey 96023->96024 96025 583193 96023->96025 96024->96027 96037 58321e _wcslen 96024->96037 96026 55fe0b 22 API calls 96025->96026 96028 5831ac 96026->96028 96027->96004 96029 545722 22 API calls 96028->96029 96030 5831b7 RegQueryValueExW 96029->96030 96031 5831d4 96030->96031 96034 5831ee ISource 96030->96034 96032 546b57 22 API calls 96031->96032 96032->96034 96033 544c6d 22 API calls 96033->96037 96034->96024 96035 549cb3 22 API calls 96035->96037 96036 54515f 22 API calls 96036->96037 96037->96027 96037->96033 96037->96035 96037->96036 96038->96006 96040 581f50 __wsopen_s 96039->96040 96041 543364 GetFullPathNameW 96040->96041 96042 543386 96041->96042 96043 546b57 22 API calls 96042->96043 96044 5433a4 96043->96044 96044->96015 96045 541044 96050 5410f3 96045->96050 96047 54104a 96086 5600a3 29 API calls __onexit 96047->96086 96049 541054 96087 541398 96050->96087 96054 54116a 96055 54a961 22 API calls 96054->96055 96056 541174 96055->96056 96057 54a961 22 API calls 96056->96057 96058 54117e 96057->96058 96059 54a961 22 API calls 96058->96059 96060 541188 96059->96060 96061 54a961 22 API calls 96060->96061 96062 5411c6 96061->96062 96063 54a961 22 API calls 96062->96063 96064 541292 96063->96064 96097 54171c 96064->96097 96068 5412c4 96069 54a961 22 API calls 96068->96069 96070 5412ce 96069->96070 96071 551940 9 API calls 96070->96071 96072 5412f9 96071->96072 96118 541aab 96072->96118 96074 541315 96075 541325 GetStdHandle 96074->96075 96076 582485 96075->96076 96077 54137a 96075->96077 96076->96077 96078 58248e 96076->96078 96081 541387 OleInitialize 96077->96081 96079 55fddb 22 API calls 96078->96079 96080 582495 96079->96080 96125 5b011d InitializeCriticalSectionAndSpinCount InterlockedExchange GetCurrentProcess GetCurrentProcess DuplicateHandle 96080->96125 96081->96047 96083 58249e 96126 5b0944 CreateThread 96083->96126 96085 5824aa CloseHandle 96085->96077 96086->96049 96127 5413f1 96087->96127 96090 5413f1 22 API calls 96091 5413d0 96090->96091 96092 54a961 22 API calls 96091->96092 96093 5413dc 96092->96093 96094 546b57 22 API calls 96093->96094 96095 541129 96094->96095 96096 541bc3 6 API calls 96095->96096 96096->96054 96098 54a961 22 API calls 96097->96098 96099 54172c 96098->96099 96100 54a961 22 API calls 96099->96100 96101 541734 96100->96101 96102 54a961 22 API calls 96101->96102 96103 54174f 96102->96103 96104 55fddb 22 API calls 96103->96104 96105 54129c 96104->96105 96106 541b4a 96105->96106 96107 541b58 96106->96107 96108 54a961 22 API calls 96107->96108 96109 541b63 96108->96109 96110 54a961 22 API calls 96109->96110 96111 541b6e 96110->96111 96112 54a961 22 API calls 96111->96112 96113 541b79 96112->96113 96114 54a961 22 API calls 96113->96114 96115 541b84 96114->96115 96116 55fddb 22 API calls 96115->96116 96117 541b96 RegisterWindowMessageW 96116->96117 96117->96068 96119 58272d 96118->96119 96120 541abb 96118->96120 96134 5b3209 23 API calls 96119->96134 96121 55fddb 22 API calls 96120->96121 96123 541ac3 96121->96123 96123->96074 96124 582738 96125->96083 96126->96085 96135 5b092a 28 API calls 96126->96135 96128 54a961 22 API calls 96127->96128 96129 5413fc 96128->96129 96130 54a961 22 API calls 96129->96130 96131 541404 96130->96131 96132 54a961 22 API calls 96131->96132 96133 5413c6 96132->96133 96133->96090 96134->96124 96136 578402 96141 5781be 96136->96141 96139 57842a 96146 5781ef try_get_first_available_module 96141->96146 96143 5783ee 96160 5727ec 26 API calls pre_c_initialization 96143->96160 96145 578343 96145->96139 96153 580984 96145->96153 96152 578338 96146->96152 96156 568e0b 40 API calls 2 library calls 96146->96156 96148 57838c 96148->96152 96157 568e0b 40 API calls 2 library calls 96148->96157 96150 5783ab 96150->96152 96158 568e0b 40 API calls 2 library calls 96150->96158 96152->96145 96159 56f2d9 20 API calls __dosmaperr 96152->96159 96161 580081 96153->96161 96155 58099f 96155->96139 96156->96148 96157->96150 96158->96152 96159->96143 96160->96145 96164 58008d CallCatchBlock 96161->96164 96162 58009b 96219 56f2d9 20 API calls __dosmaperr 96162->96219 96164->96162 96166 5800d4 96164->96166 96165 5800a0 96220 5727ec 26 API calls pre_c_initialization 96165->96220 96172 58065b 96166->96172 96171 5800aa __fread_nolock 96171->96155 96222 58042f 96172->96222 96175 58068d 96254 56f2c6 20 API calls __dosmaperr 96175->96254 96176 5806a6 96240 575221 96176->96240 96179 5806ab 96180 5806cb 96179->96180 96181 5806b4 96179->96181 96253 58039a CreateFileW 96180->96253 96256 56f2c6 20 API calls __dosmaperr 96181->96256 96185 5800f8 96221 580121 LeaveCriticalSection __wsopen_s 96185->96221 96186 5806b9 96257 56f2d9 20 API calls __dosmaperr 96186->96257 96187 580781 GetFileType 96190 58078c GetLastError 96187->96190 96191 5807d3 96187->96191 96189 580756 GetLastError 96259 56f2a3 20 API calls __dosmaperr 96189->96259 96260 56f2a3 20 API calls __dosmaperr 96190->96260 96262 57516a 21 API calls 2 library calls 96191->96262 96192 580692 96255 56f2d9 20 API calls __dosmaperr 96192->96255 96193 580704 96193->96187 96193->96189 96258 58039a CreateFileW 96193->96258 96197 58079a CloseHandle 96197->96192 96200 5807c3 96197->96200 96199 580749 96199->96187 96199->96189 96261 56f2d9 20 API calls __dosmaperr 96200->96261 96202 5807f4 96204 580840 96202->96204 96263 5805ab 72 API calls 3 library calls 96202->96263 96203 5807c8 96203->96192 96208 58086d 96204->96208 96264 58014d 72 API calls 4 library calls 96204->96264 96207 580866 96207->96208 96209 58087e 96207->96209 96210 5786ae __wsopen_s 29 API calls 96208->96210 96209->96185 96211 5808fc CloseHandle 96209->96211 96210->96185 96265 58039a CreateFileW 96211->96265 96213 580927 96214 580931 GetLastError 96213->96214 96215 58095d 96213->96215 96266 56f2a3 20 API calls __dosmaperr 96214->96266 96215->96185 96217 58093d 96267 575333 21 API calls 2 library calls 96217->96267 96219->96165 96220->96171 96221->96171 96223 580450 96222->96223 96224 58046a 96222->96224 96223->96224 96275 56f2d9 20 API calls __dosmaperr 96223->96275 96268 5803bf 96224->96268 96227 58045f 96276 5727ec 26 API calls pre_c_initialization 96227->96276 96229 5804a2 96230 5804d1 96229->96230 96277 56f2d9 20 API calls __dosmaperr 96229->96277 96235 580524 96230->96235 96279 56d70d 26 API calls 2 library calls 96230->96279 96233 58051f 96233->96235 96236 58059e 96233->96236 96234 5804c6 96278 5727ec 26 API calls pre_c_initialization 96234->96278 96235->96175 96235->96176 96280 5727fc 11 API calls _abort 96236->96280 96239 5805aa 96241 57522d CallCatchBlock 96240->96241 96283 572f5e EnterCriticalSection 96241->96283 96243 575234 96245 575259 96243->96245 96249 5752c7 EnterCriticalSection 96243->96249 96251 57527b 96243->96251 96246 575000 __wsopen_s 21 API calls 96245->96246 96247 57525e 96246->96247 96247->96251 96287 575147 EnterCriticalSection 96247->96287 96248 5752a4 __fread_nolock 96248->96179 96249->96251 96252 5752d4 LeaveCriticalSection 96249->96252 96284 57532a 96251->96284 96252->96243 96253->96193 96254->96192 96255->96185 96256->96186 96257->96192 96258->96199 96259->96192 96260->96197 96261->96203 96262->96202 96263->96204 96264->96207 96265->96213 96266->96217 96267->96215 96271 5803d7 96268->96271 96269 5803f2 96269->96229 96271->96269 96281 56f2d9 20 API calls __dosmaperr 96271->96281 96272 580416 96282 5727ec 26 API calls pre_c_initialization 96272->96282 96274 580421 96274->96229 96275->96227 96276->96224 96277->96234 96278->96230 96279->96233 96280->96239 96281->96272 96282->96274 96283->96243 96288 572fa6 LeaveCriticalSection 96284->96288 96286 575331 96286->96248 96287->96251 96288->96286 96289 542de3 96290 542df0 __wsopen_s 96289->96290 96291 582c2b ___scrt_fastfail 96290->96291 96292 542e09 96290->96292 96294 582c47 GetOpenFileNameW 96291->96294 96293 543aa2 23 API calls 96292->96293 96295 542e12 96293->96295 96296 582c96 96294->96296 96305 542da5 96295->96305 96298 546b57 22 API calls 96296->96298 96300 582cab 96298->96300 96300->96300 96302 542e27 96323 5444a8 96302->96323 96306 581f50 __wsopen_s 96305->96306 96307 542db2 GetLongPathNameW 96306->96307 96308 546b57 22 API calls 96307->96308 96309 542dda 96308->96309 96310 543598 96309->96310 96311 54a961 22 API calls 96310->96311 96312 5435aa 96311->96312 96313 543aa2 23 API calls 96312->96313 96314 5435b5 96313->96314 96315 5832eb 96314->96315 96316 5435c0 96314->96316 96320 58330d 96315->96320 96358 55ce60 41 API calls 96315->96358 96317 54515f 22 API calls 96316->96317 96319 5435cc 96317->96319 96352 5435f3 96319->96352 96322 5435df 96322->96302 96324 544ecb 94 API calls 96323->96324 96325 5444cd 96324->96325 96326 583833 96325->96326 96327 544ecb 94 API calls 96325->96327 96328 5b2cf9 80 API calls 96326->96328 96329 5444e1 96327->96329 96330 583848 96328->96330 96329->96326 96331 5444e9 96329->96331 96332 583869 96330->96332 96333 58384c 96330->96333 96335 5444f5 96331->96335 96336 583854 96331->96336 96334 55fe0b 22 API calls 96332->96334 96337 544f39 68 API calls 96333->96337 96342 5838ae 96334->96342 96359 54940c 136 API calls 2 library calls 96335->96359 96360 5ada5a 82 API calls 96336->96360 96337->96336 96340 583862 96340->96332 96341 542e31 96344 583a5f 96342->96344 96349 549cb3 22 API calls 96342->96349 96361 5a967e 22 API calls __fread_nolock 96342->96361 96362 5a95ad 42 API calls _wcslen 96342->96362 96363 5b0b5a 22 API calls 96342->96363 96364 54a4a1 22 API calls __fread_nolock 96342->96364 96365 543ff7 22 API calls 96342->96365 96343 544f39 68 API calls 96343->96344 96344->96343 96366 5a989b 82 API calls __wsopen_s 96344->96366 96349->96342 96353 543605 96352->96353 96357 543624 __fread_nolock 96352->96357 96355 55fe0b 22 API calls 96353->96355 96354 55fddb 22 API calls 96356 54363b 96354->96356 96355->96357 96356->96322 96357->96354 96358->96315 96359->96341 96360->96340 96361->96342 96362->96342 96363->96342 96364->96342 96365->96342 96366->96344 96367 54ddac 96370 54caf0 96367->96370 96369 54ddb7 96371 54cb69 96370->96371 96377 54cf89 96370->96377 96372 54cf73 96371->96372 96373 54cb8c 96371->96373 96489 55d336 40 API calls 96372->96489 96373->96377 96456 54bbe0 96373->96456 96505 5b359c 82 API calls __wsopen_s 96377->96505 96378 590ee7 96378->96378 96379 54cba7 96379->96377 96380 54cf10 96379->96380 96381 54cbf6 96379->96381 96382 54cd88 96379->96382 96390 590abf 96379->96390 96488 54a81b 41 API calls 96380->96488 96385 54cc07 96381->96385 96386 590b1a 96381->96386 96384 54b567 39 API calls 96382->96384 96393 54cde8 96384->96393 96388 54ec40 377 API calls 96385->96388 96386->96377 96389 54ec40 377 API calls 96386->96389 96402 54cc1e 96388->96402 96392 590b41 96389->96392 96390->96386 96438 54ce8b 96390->96438 96490 5c79b6 377 API calls 96390->96490 96491 55a308 377 API calls 96390->96491 96394 590b51 96392->96394 96396 590bbe 96392->96396 96417 590b63 96392->96417 96392->96438 96404 590daa 96393->96404 96408 54cdfe 96393->96408 96411 590e4c 96393->96411 96393->96438 96397 54aceb 23 API calls 96394->96397 96395 54cc3a 96395->96377 96399 54ec40 377 API calls 96395->96399 96398 590c0d 96396->96398 96400 590bfb 96396->96400 96494 5ab59b 22 API calls 96396->96494 96397->96400 96495 5c47d4 377 API calls 96398->96495 96421 54cc82 96399->96421 96409 549c6e 22 API calls 96400->96409 96401 590e4a 96504 54289a 23 API calls 96401->96504 96402->96377 96402->96395 96402->96438 96496 54a8c7 22 API calls __fread_nolock 96402->96496 96502 5c4523 381 API calls ___scrt_fastfail 96404->96502 96408->96401 96408->96411 96464 54b649 96408->96464 96409->96398 96503 5c5705 23 API calls 96411->96503 96412 590bb9 96414 54aceb 23 API calls 96412->96414 96414->96394 96415 54ce43 96415->96411 96419 590e77 96415->96419 96425 54b649 54 API calls 96415->96425 96416 590de7 96422 590e35 96416->96422 96423 590df5 96416->96423 96417->96400 96492 5504f0 22 API calls 96417->96492 96426 54b649 54 API calls 96419->96426 96431 54ec40 377 API calls 96421->96431 96421->96438 96439 54ccb2 96421->96439 96428 54aceb 23 API calls 96422->96428 96427 549c6e 22 API calls 96423->96427 96424 590ba8 96424->96400 96493 5504f0 22 API calls 96424->96493 96429 54ce5f 96425->96429 96426->96401 96427->96438 96432 590e3e 96428->96432 96429->96401 96429->96411 96435 54ce84 96429->96435 96433 590cc3 96431->96433 96434 54aceb 23 API calls 96432->96434 96436 54aceb 23 API calls 96433->96436 96433->96438 96434->96401 96437 55fddb 22 API calls 96435->96437 96436->96439 96437->96438 96438->96369 96442 590d06 96439->96442 96443 54ccf2 96439->96443 96440 590d23 96499 55ad9c 39 API calls 96440->96499 96441 590d19 96498 54b415 39 API calls 96441->96498 96442->96441 96497 55ad9c 39 API calls 96442->96497 96443->96377 96443->96380 96443->96440 96447 54cd2e 96443->96447 96447->96440 96448 54cd45 96447->96448 96450 54cd4a 96447->96450 96487 54b415 39 API calls 96448->96487 96451 54cd74 96450->96451 96453 590d66 96450->96453 96451->96377 96451->96382 96452 590d7a 96501 54b415 39 API calls 96452->96501 96453->96452 96500 55ad9c 39 API calls 96453->96500 96457 54be27 96456->96457 96462 54bbf3 96456->96462 96457->96379 96459 54a961 22 API calls 96459->96462 96460 54bc9d 96460->96379 96462->96459 96462->96460 96506 560242 5 API calls __Init_thread_wait 96462->96506 96507 5600a3 29 API calls __onexit 96462->96507 96508 5601f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96462->96508 96465 54b69c 96464->96465 96466 54b66a 96464->96466 96469 54b567 39 API calls 96465->96469 96481 54b68b 96465->96481 96467 54b673 96466->96467 96468 590066 96466->96468 96471 54b67c 96467->96471 96472 590006 96467->96472 96512 54b38f 39 API calls 96468->96512 96473 54b6a1 96469->96473 96509 54b6b5 39 API calls 96471->96509 96472->96465 96474 590037 96472->96474 96477 54b567 39 API calls 96473->96477 96480 547510 53 API calls 96474->96480 96475 59006b 96513 54b38f 39 API calls 96475->96513 96477->96481 96479 54b681 96510 54b6b5 39 API calls 96479->96510 96483 59003e 96480->96483 96481->96415 96484 547510 53 API calls 96483->96484 96485 590048 96484->96485 96511 55ce60 41 API calls 96485->96511 96487->96450 96488->96382 96489->96377 96490->96390 96491->96390 96492->96424 96493->96412 96494->96412 96495->96402 96496->96395 96497->96441 96498->96440 96499->96450 96500->96452 96501->96377 96502->96416 96503->96419 96504->96438 96505->96378 96506->96462 96507->96462 96508->96462 96509->96479 96510->96481 96511->96481 96512->96475 96513->96481 96514 592a00 96529 54d7b0 ISource 96514->96529 96515 54db11 PeekMessageW 96515->96529 96516 54d807 GetInputState 96516->96515 96516->96529 96518 591cbe TranslateAcceleratorW 96518->96529 96519 54db73 TranslateMessage DispatchMessageW 96520 54db8f PeekMessageW 96519->96520 96520->96529 96521 54da04 timeGetTime 96521->96529 96522 54dbaf Sleep 96522->96529 96523 592b74 Sleep 96536 592b85 96523->96536 96525 591dda timeGetTime 96560 55e300 23 API calls 96525->96560 96529->96515 96529->96516 96529->96518 96529->96519 96529->96520 96529->96521 96529->96522 96529->96523 96529->96525 96531 5d29bf GetForegroundWindow 96529->96531 96533 54d9d5 96529->96533 96539 5ae97b 5 API calls 96529->96539 96542 54ec40 377 API calls 96529->96542 96543 54bf40 377 API calls 96529->96543 96544 551310 377 API calls 96529->96544 96546 54dd50 96529->96546 96553 55edf6 96529->96553 96558 54dfd0 377 API calls 3 library calls 96529->96558 96559 55e551 timeGetTime 96529->96559 96561 5b3a2a 23 API calls 96529->96561 96562 5b359c 82 API calls __wsopen_s 96529->96562 96563 5c5658 23 API calls 96529->96563 96530 592c0b GetExitCodeProcess 96534 592c21 WaitForSingleObject 96530->96534 96535 592c37 CloseHandle 96530->96535 96531->96529 96534->96529 96534->96535 96535->96536 96536->96529 96536->96530 96536->96533 96537 592ca9 Sleep 96536->96537 96564 55e551 timeGetTime 96536->96564 96565 5ad4dc 47 API calls 96536->96565 96537->96529 96539->96529 96542->96529 96543->96529 96544->96529 96547 54dd83 96546->96547 96548 54dd6f 96546->96548 96598 5b359c 82 API calls __wsopen_s 96547->96598 96566 54d260 96548->96566 96550 54dd7a 96550->96529 96552 592f75 96552->96552 96555 55ee09 96553->96555 96556 55ee12 96553->96556 96554 55ee36 IsDialogMessageW 96554->96555 96554->96556 96555->96529 96556->96554 96556->96555 96557 59efaf GetClassLongW 96556->96557 96557->96554 96557->96556 96558->96529 96559->96529 96560->96529 96561->96529 96562->96529 96563->96529 96564->96536 96565->96536 96567 54ec40 377 API calls 96566->96567 96568 54d29d 96567->96568 96569 54d30b ISource 96568->96569 96570 54d6d5 96568->96570 96572 54d3c3 96568->96572 96575 54d4b8 96568->96575 96582 591bc4 96568->96582 96587 55fddb 22 API calls 96568->96587 96593 54d429 ISource __fread_nolock 96568->96593 96569->96550 96570->96569 96581 55fe0b 22 API calls 96570->96581 96572->96570 96574 54d3ce 96572->96574 96573 54d5ff 96577 54d614 96573->96577 96578 591bb5 96573->96578 96576 55fddb 22 API calls 96574->96576 96583 55fe0b 22 API calls 96575->96583 96586 54d3d5 __fread_nolock 96576->96586 96579 55fddb 22 API calls 96577->96579 96604 5c5705 23 API calls 96578->96604 96591 54d46a 96579->96591 96581->96586 96605 5b359c 82 API calls __wsopen_s 96582->96605 96583->96593 96584 55fddb 22 API calls 96585 54d3f6 96584->96585 96585->96593 96599 54bec0 377 API calls 96585->96599 96586->96584 96586->96585 96587->96568 96589 591ba4 96603 5b359c 82 API calls __wsopen_s 96589->96603 96591->96550 96593->96573 96593->96589 96593->96591 96594 591b7f 96593->96594 96596 591b5d 96593->96596 96600 541f6f 377 API calls 96593->96600 96602 5b359c 82 API calls __wsopen_s 96594->96602 96601 5b359c 82 API calls __wsopen_s 96596->96601 96598->96552 96599->96593 96600->96593 96601->96591 96602->96591 96603->96591 96604->96582 96605->96569 96606 541cad SystemParametersInfoW 96607 582402 96610 541410 96607->96610 96611 5824b8 DestroyWindow 96610->96611 96612 54144f mciSendStringW 96610->96612 96622 5824c4 96611->96622 96613 54146b 96612->96613 96619 5416c6 96612->96619 96614 541479 96613->96614 96613->96622 96643 54182e 96614->96643 96615 5416d5 UnregisterHotKey 96615->96619 96617 5824e2 FindClose 96617->96622 96619->96613 96619->96615 96620 582509 96624 58251c FreeLibrary 96620->96624 96626 58252d 96620->96626 96622->96617 96622->96620 96625 5824d8 96622->96625 96623 54148e 96623->96626 96632 54149c 96623->96632 96624->96620 96625->96622 96649 546246 CloseHandle 96625->96649 96627 582541 VirtualFree 96626->96627 96634 541509 96626->96634 96627->96626 96628 5414f8 CoUninitialize 96628->96634 96629 541514 96633 541524 96629->96633 96630 582589 96636 582598 ISource 96630->96636 96650 5b32eb 6 API calls ISource 96630->96650 96632->96628 96647 541944 VirtualFreeEx CloseHandle 96633->96647 96634->96629 96634->96630 96639 582627 96636->96639 96651 5a64d4 22 API calls ISource 96636->96651 96638 54153a 96638->96636 96640 54161f 96638->96640 96639->96639 96640->96639 96648 541876 CloseHandle InternetCloseHandle InternetCloseHandle WaitForSingleObject 96640->96648 96642 5416c1 96645 54183b 96643->96645 96644 541480 96644->96620 96644->96623 96645->96644 96652 5a702a 22 API calls 96645->96652 96647->96638 96648->96642 96649->96625 96650->96630 96651->96636 96652->96645 96653 582ba5 96654 542b25 96653->96654 96655 582baf 96653->96655 96681 542b83 7 API calls 96654->96681 96657 543a5a 24 API calls 96655->96657 96659 582bb8 96657->96659 96661 549cb3 22 API calls 96659->96661 96662 582bc6 96661->96662 96664 582bce 96662->96664 96665 582bf5 96662->96665 96663 542b2f 96668 543837 49 API calls 96663->96668 96674 542b44 96663->96674 96666 5433c6 22 API calls 96664->96666 96667 5433c6 22 API calls 96665->96667 96669 582bd9 96666->96669 96670 582bf1 GetForegroundWindow ShellExecuteW 96667->96670 96668->96674 96685 546350 22 API calls 96669->96685 96676 582c26 96670->96676 96673 542b5f 96678 542b66 SetCurrentDirectoryW 96673->96678 96674->96673 96677 5430f2 Shell_NotifyIconW 96674->96677 96675 582be7 96679 5433c6 22 API calls 96675->96679 96676->96673 96677->96673 96680 542b7a 96678->96680 96679->96670 96686 542cd4 7 API calls 96681->96686 96683 542b2a 96684 542c63 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 96683->96684 96684->96663 96685->96675 96686->96683

                                                        Executed Functions

                                                        Function 0055F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0055F998
                                                        • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0059F474
                                                        • IsIconic.USER32(00000000), ref: 0059F47D
                                                        • ShowWindow.USER32(00000000,00000009), ref: 0059F48A
                                                        • SetForegroundWindow.USER32(00000000), ref: 0059F494
                                                        • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0059F4AA
                                                        • GetCurrentThreadId.KERNEL32 ref: 0059F4B1
                                                        • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0059F4BD
                                                        • AttachThreadInput.USER32(?,00000000,00000001), ref: 0059F4CE
                                                        • AttachThreadInput.USER32(?,00000000,00000001), ref: 0059F4D6
                                                        • AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0059F4DE
                                                        • SetForegroundWindow.USER32(00000000), ref: 0059F4E1
                                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 0059F4F6
                                                        • keybd_event.USER32(00000012,00000000), ref: 0059F501
                                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 0059F50B
                                                        • keybd_event.USER32(00000012,00000000), ref: 0059F510
                                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 0059F519
                                                        • keybd_event.USER32(00000012,00000000), ref: 0059F51E
                                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 0059F528
                                                        • keybd_event.USER32(00000012,00000000), ref: 0059F52D
                                                        • SetForegroundWindow.USER32(00000000), ref: 0059F530
                                                        • AttachThreadInput.USER32(?,000000FF,00000000), ref: 0059F557
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                        • String ID: Shell_TrayWnd
                                                        • API String ID: 4125248594-2988720461
                                                        • Opcode ID: a67a88fa78578f757d305813d16236f15a1fc1865a46392d317369167197d9c7
                                                        • Instruction ID: 19b5cffb573349cedc3d66ead7ed61a5f3639e5a1ea73b425a37b82c8d1448c6
                                                        • Opcode Fuzzy Hash: a67a88fa78578f757d305813d16236f15a1fc1865a46392d317369167197d9c7
                                                        • Instruction Fuzzy Hash: 67312D71A41219BAEF306BA55C4AFBF7F6CEB44B50F110467FA05E61D1C6B19900EBA0
                                                        Function 005442DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235libraryloaderCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 405 5442de-54434d call 54a961 GetVersionExW call 546b57 410 544353 405->410 411 583617-58362a 405->411 412 544355-544357 410->412 413 58362b-58362f 411->413 414 54435d-5443bc call 5493b2 call 5437a0 412->414 415 583656 412->415 416 583631 413->416 417 583632-58363e 413->417 434 5443c2-5443c4 414->434 435 5837df-5837e6 414->435 420 58365d-583660 415->420 416->417 417->413 419 583640-583642 417->419 419->412 422 583648-58364f 419->422 423 583666-5836a8 420->423 424 54441b-544435 GetCurrentProcess IsWow64Process 420->424 422->411 426 583651 422->426 423->424 427 5836ae-5836b1 423->427 429 544494-54449a 424->429 430 544437 424->430 426->415 432 5836db-5836e5 427->432 433 5836b3-5836bd 427->433 431 54443d-544449 429->431 430->431 436 54444f-54445e LoadLibraryA 431->436 437 583824-583828 GetSystemInfo 431->437 441 5836f8-583702 432->441 442 5836e7-5836f3 432->442 438 5836ca-5836d6 433->438 439 5836bf-5836c5 433->439 434->420 440 5443ca-5443dd 434->440 443 5837e8 435->443 444 583806-583809 435->444 445 544460-54446e GetProcAddress 436->445 446 54449c-5444a6 GetSystemInfo 436->446 438->424 439->424 447 5443e3-5443e5 440->447 448 583726-58372f 440->448 450 583704-583710 441->450 451 583715-583721 441->451 442->424 449 5837ee 443->449 452 58380b-58381a 444->452 453 5837f4-5837fc 444->453 445->446 455 544470-544474 GetNativeSystemInfo 445->455 456 544476-544478 446->456 457 58374d-583762 447->457 458 5443eb-5443ee 447->458 459 58373c-583748 448->459 460 583731-583737 448->460 449->453 450->424 451->424 452->449 454 58381c-583822 452->454 453->444 454->453 455->456 463 544481-544493 456->463 464 54447a-54447b FreeLibrary 456->464 461 58376f-58377b 457->461 462 583764-58376a 457->462 465 5443f4-54440f 458->465 466 583791-583794 458->466 459->424 460->424 461->424 462->424 464->463 468 544415 465->468 469 583780-58378c 465->469 466->424 467 58379a-5837c1 466->467 470 5837ce-5837da 467->470 471 5837c3-5837c9 467->471 468->424 469->424 470->424 471->424
                                                        APIs
                                                        • GetVersionExW.KERNEL32(?), ref: 0054430D
                                                          • Part of subcall function 00546B57: _wcslen.LIBCMT ref: 00546B6A
                                                        • GetCurrentProcess.KERNEL32(?,005DCB64,00000000,?,?), ref: 00544422
                                                        • IsWow64Process.KERNEL32(00000000,?,?), ref: 00544429
                                                        • LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00544454
                                                        • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00544466
                                                        • GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00544474
                                                        • FreeLibrary.KERNEL32(00000000,?,?), ref: 0054447B
                                                        • GetSystemInfo.KERNEL32(?,?,?), ref: 005444A0
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
                                                        • String ID: GetNativeSystemInfo$kernel32.dll$|O
                                                        • API String ID: 3290436268-3101561225
                                                        • Opcode ID: 66c646560b8bf697fbe42f3dfec7b55b0a9f3f2f32961008162c3dcd49e02831
                                                        • Instruction ID: 66f6781bc2c3107f17d19a93ad943566a23a15a4ee9abd0164f0b27d9b4a63cb
                                                        • Opcode Fuzzy Hash: 66c646560b8bf697fbe42f3dfec7b55b0a9f3f2f32961008162c3dcd49e02831
                                                        • Instruction Fuzzy Hash: 0BA1C67190A2E0CFCF11D7697C453D97FA67B27704B0CE89BD661AFA2AD2204608CB25
                                                        Function 005442A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1016 5442a2-5442ba CreateStreamOnHGlobal 1017 5442bc-5442d3 FindResourceExW 1016->1017 1018 5442da-5442dd 1016->1018 1019 5835ba-5835c9 LoadResource 1017->1019 1020 5442d9 1017->1020 1019->1020 1021 5835cf-5835dd SizeofResource 1019->1021 1020->1018 1021->1020 1022 5835e3-5835ee LockResource 1021->1022 1022->1020 1023 5835f4-5835fc 1022->1023 1024 583600-583612 1023->1024 1024->1020
                                                        APIs
                                                        • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,005450AA,?,?,00000000,00000000), ref: 005442B2
                                                        • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,005450AA,?,?,00000000,00000000), ref: 005442C9
                                                        • LoadResource.KERNEL32(?,00000000,?,?,005450AA,?,?,00000000,00000000,?,?,?,?,?,?,00544F20), ref: 005835BE
                                                        • SizeofResource.KERNEL32(?,00000000,?,?,005450AA,?,?,00000000,00000000,?,?,?,?,?,?,00544F20), ref: 005835D3
                                                        • LockResource.KERNEL32(005450AA,?,?,005450AA,?,?,00000000,00000000,?,?,?,?,?,?,00544F20,?), ref: 005835E6
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                        • String ID: SCRIPT
                                                        • API String ID: 3051347437-3967369404
                                                        • Opcode ID: 06e3dc0d8e48b2379731a75cecc098a6bbc34e883e57613eb543b9b54f9d1480
                                                        • Instruction ID: 1a6d3e28194494370f3c04d9b4cd125ccf9ea59b1e35703517f7e87575e41c7a
                                                        • Opcode Fuzzy Hash: 06e3dc0d8e48b2379731a75cecc098a6bbc34e883e57613eb543b9b54f9d1480
                                                        • Instruction Fuzzy Hash: 51117CB8241701BFEB218BA5DC48F677FB9FBD5B55F10816EB44296290DBB1D804DA20
                                                        Function 00582BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00542B6B
                                                          • Part of subcall function 00543A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00611418,?,00542E7F,?,?,?,00000000), ref: 00543A78
                                                          • Part of subcall function 00549CB3: _wcslen.LIBCMT ref: 00549CBD
                                                        • GetForegroundWindow.USER32(runas,?,?,?,?,?,00602224), ref: 00582C10
                                                        • ShellExecuteW.SHELL32(00000000,?,?,00602224), ref: 00582C17
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
                                                        • String ID: runas
                                                        • API String ID: 448630720-4000483414
                                                        • Opcode ID: 83a1fceb845955351f3d948d056b6eed0ff0ebb869d494ca90cd07996670afbf
                                                        • Instruction ID: 2d0fdbad3ba1d781ce26f7a66d578a1c7716d211a1e4292e2b5a0862e09ba4ce
                                                        • Opcode Fuzzy Hash: 83a1fceb845955351f3d948d056b6eed0ff0ebb869d494ca90cd07996670afbf
                                                        • Instruction Fuzzy Hash: E811A2312483436AC714FF60D85A9EEBFA5BBE1759F48582EB142560B2CF218A49D712
                                                        Function 005ADBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • lstrlenW.KERNEL32(?,00585222), ref: 005ADBCE
                                                        • GetFileAttributesW.KERNELBASE(?), ref: 005ADBDD
                                                        • FindFirstFileW.KERNEL32(?,?), ref: 005ADBEE
                                                        • FindClose.KERNEL32(00000000), ref: 005ADBFA
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: FileFind$AttributesCloseFirstlstrlen
                                                        • String ID:
                                                        • API String ID: 2695905019-0
                                                        • Opcode ID: 1bb3db9e3dd22fca2682e68f9054fc6ff281ea19655157f42157c63a4d1ea701
                                                        • Instruction ID: 29b2b67cd1448d9a620dd8e16f873ab317cb1e6ab4a40add100ce40876234098
                                                        • Opcode Fuzzy Hash: 1bb3db9e3dd22fca2682e68f9054fc6ff281ea19655157f42157c63a4d1ea701
                                                        • Instruction Fuzzy Hash: 00F0A0308119215782307B78AC0D8AE3F7CAF42335B904713F8B7C24E0EBB45D98EAA5
                                                        Function 00564CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • GetCurrentProcess.KERNEL32(005728E9,?,00564CBE,005728E9,006088B8,0000000C,00564E15,005728E9,00000002,00000000,?,005728E9), ref: 00564D09
                                                        • TerminateProcess.KERNEL32(00000000,?,00564CBE,005728E9,006088B8,0000000C,00564E15,005728E9,00000002,00000000,?,005728E9), ref: 00564D10
                                                        • ExitProcess.KERNEL32 ref: 00564D22
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Process$CurrentExitTerminate
                                                        • String ID:
                                                        • API String ID: 1703294689-0
                                                        • Opcode ID: 91333d07f3dfaeb5084076738484bfeaad0aae127d9ca09896e501db8253067f
                                                        • Instruction ID: f8286e637f053ec4edbadf61d27e9c5fc222ac33f32b2f3004ffd06281d3f84a
                                                        • Opcode Fuzzy Hash: 91333d07f3dfaeb5084076738484bfeaad0aae127d9ca09896e501db8253067f
                                                        • Instruction Fuzzy Hash: 1AE0B631401149ABCF21AF54DD09A583F79FB92791F108416FC098B122CB35DD46EE80
                                                        Function 0054CAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: Variable is not of type 'Object'.$p#a
                                                        • API String ID: 0-1801905891
                                                        • Opcode ID: 2344393001b51b70a94efc38347ff4494572906a9977776e10a8eb0732ef07f2
                                                        • Instruction ID: cea04fba780904a819a4b8044520d0b201ca931b69eebf17cba872c7ae71c62b
                                                        • Opcode Fuzzy Hash: 2344393001b51b70a94efc38347ff4494572906a9977776e10a8eb0732ef07f2
                                                        • Instruction Fuzzy Hash: 7132AE70901219EFCF54DF90C895AEDBFB9FF85308F144469E806AB292D735AE49CB60
                                                        Function 0054BF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: BuffCharUpper
                                                        • String ID: p#a
                                                        • API String ID: 3964851224-799840237
                                                        • Opcode ID: a8a6f3d461b0af099517479cf37dd10b62512a8b4d3320824f7055a8fad9b767
                                                        • Instruction ID: 1a1c746739a844175b0e7d45fa28252047247483ae25bfb2c0470d6615e4a10f
                                                        • Opcode Fuzzy Hash: a8a6f3d461b0af099517479cf37dd10b62512a8b4d3320824f7055a8fad9b767
                                                        • Instruction Fuzzy Hash: 4CA248706093019FDB54CF18C484B6ABFE1BFC9308F14996DE99A8B392D771E845CB92
                                                        Function 005CAFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 16 5caff9-5cb056 call 562340 19 5cb058-5cb06b call 54b567 16->19 20 5cb094-5cb098 16->20 30 5cb06d-5cb092 call 54b567 * 2 19->30 31 5cb0c8 19->31 21 5cb0dd-5cb0e0 20->21 22 5cb09a-5cb0bb call 54b567 * 2 20->22 26 5cb0f5-5cb119 call 547510 call 547620 21->26 27 5cb0e2-5cb0e5 21->27 45 5cb0bf-5cb0c4 22->45 47 5cb11f-5cb178 call 547510 call 547620 call 547510 call 547620 call 547510 call 547620 26->47 48 5cb1d8-5cb1e0 26->48 32 5cb0e8-5cb0ed call 54b567 27->32 30->45 35 5cb0cb-5cb0cf 31->35 32->26 40 5cb0d9-5cb0db 35->40 41 5cb0d1-5cb0d7 35->41 40->21 40->26 41->32 45->21 49 5cb0c6 45->49 96 5cb17a-5cb195 call 547510 call 547620 47->96 97 5cb1a6-5cb1d6 GetSystemDirectoryW call 55fe0b GetSystemDirectoryW 47->97 52 5cb20a-5cb238 GetCurrentDirectoryW call 55fe0b GetCurrentDirectoryW 48->52 53 5cb1e2-5cb1fd call 547510 call 547620 48->53 49->35 62 5cb23c 52->62 53->52 66 5cb1ff-5cb208 call 564963 53->66 65 5cb240-5cb244 62->65 68 5cb275-5cb285 call 5b00d9 65->68 69 5cb246-5cb270 call 549c6e * 3 65->69 66->52 66->68 78 5cb28b-5cb2e1 call 5b07c0 call 5b06e6 call 5b05a7 68->78 79 5cb287-5cb289 68->79 69->68 82 5cb2ee-5cb2f2 78->82 115 5cb2e3 78->115 79->82 89 5cb2f8-5cb321 call 5a11c8 82->89 90 5cb39a-5cb3be CreateProcessW 82->90 100 5cb32a call 5a14ce 89->100 101 5cb323-5cb328 call 5a1201 89->101 93 5cb3c1-5cb3d4 call 55fe14 * 2 90->93 119 5cb42f-5cb43d CloseHandle 93->119 120 5cb3d6-5cb3e8 93->120 96->97 123 5cb197-5cb1a0 call 564963 96->123 97->62 114 5cb32f-5cb33c call 564963 100->114 101->114 131 5cb33e-5cb345 114->131 132 5cb347-5cb357 call 564963 114->132 115->82 125 5cb49c 119->125 126 5cb43f-5cb444 119->126 121 5cb3ed-5cb3fc 120->121 122 5cb3ea 120->122 127 5cb3fe 121->127 128 5cb401-5cb42a GetLastError call 54630c call 54cfa0 121->128 122->121 123->65 123->97 129 5cb4a0-5cb4a4 125->129 133 5cb446-5cb44c CloseHandle 126->133 134 5cb451-5cb456 126->134 127->128 143 5cb4e5-5cb4f6 call 5b0175 128->143 136 5cb4a6-5cb4b0 129->136 137 5cb4b2-5cb4bc 129->137 131->131 131->132 153 5cb359-5cb360 132->153 154 5cb362-5cb372 call 564963 132->154 133->134 140 5cb458-5cb45e CloseHandle 134->140 141 5cb463-5cb468 134->141 136->143 144 5cb4be 137->144 145 5cb4c4-5cb4e3 call 54cfa0 CloseHandle 137->145 140->141 147 5cb46a-5cb470 CloseHandle 141->147 148 5cb475-5cb49a call 5b09d9 call 5cb536 141->148 144->145 145->143 147->148 148->129 153->153 153->154 162 5cb37d-5cb398 call 55fe14 * 3 154->162 163 5cb374-5cb37b 154->163 162->93 163->162 163->163
                                                        APIs
                                                        • _wcslen.LIBCMT ref: 005CB198
                                                        • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 005CB1B0
                                                        • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 005CB1D4
                                                        • _wcslen.LIBCMT ref: 005CB200
                                                        • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 005CB214
                                                        • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 005CB236
                                                        • _wcslen.LIBCMT ref: 005CB332
                                                          • Part of subcall function 005B05A7: GetStdHandle.KERNEL32(000000F6), ref: 005B05C6
                                                        • _wcslen.LIBCMT ref: 005CB34B
                                                        • _wcslen.LIBCMT ref: 005CB366
                                                        • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 005CB3B6
                                                        • GetLastError.KERNEL32(00000000), ref: 005CB407
                                                        • CloseHandle.KERNEL32(?), ref: 005CB439
                                                        • CloseHandle.KERNEL32(00000000), ref: 005CB44A
                                                        • CloseHandle.KERNEL32(00000000), ref: 005CB45C
                                                        • CloseHandle.KERNEL32(00000000), ref: 005CB46E
                                                        • CloseHandle.KERNEL32(?), ref: 005CB4E3
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
                                                        • String ID:
                                                        • API String ID: 2178637699-0
                                                        • Opcode ID: 5150a6855d209c760987df025df992f6bceab73416f738df39831d56d4a8f305
                                                        • Instruction ID: d00893a6c6538fb9b944e3de0870f83d738a10c4e9803d8c70ba290ce76908c6
                                                        • Opcode Fuzzy Hash: 5150a6855d209c760987df025df992f6bceab73416f738df39831d56d4a8f305
                                                        • Instruction Fuzzy Hash: ADF19A315082419FDB24EF64C896B6EBFE5BF84314F14895DF8899B2A2DB31EC44CB52
                                                        Function 0054D730 Relevance: 21.6, APIs: 14, Instructions: 625windowsleeptimeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetInputState.USER32 ref: 0054D807
                                                        • timeGetTime.WINMM ref: 0054DA07
                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0054DB28
                                                        • TranslateMessage.USER32(?), ref: 0054DB7B
                                                        • DispatchMessageW.USER32(?), ref: 0054DB89
                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0054DB9F
                                                        • Sleep.KERNELBASE(0000000A), ref: 0054DBB1
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
                                                        • String ID:
                                                        • API String ID: 2189390790-0
                                                        • Opcode ID: 51a0051c96ef25444c10ce7088298ea634479611cdb8549203f2e69f5d2eee9c
                                                        • Instruction ID: aee422f3f4a28d4b2dc69afaa11899845e2b479ae0dfcfa177b72104692ee75a
                                                        • Opcode Fuzzy Hash: 51a0051c96ef25444c10ce7088298ea634479611cdb8549203f2e69f5d2eee9c
                                                        • Instruction Fuzzy Hash: 6242A170604642EFDB24CF24C899BAABFF5FF85308F14895EE55587291D770E844CBA2
                                                        Function 00542CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • GetSysColorBrush.USER32(0000000F), ref: 00542D07
                                                        • RegisterClassExW.USER32(00000030), ref: 00542D31
                                                        • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00542D42
                                                        • InitCommonControlsEx.COMCTL32(?), ref: 00542D5F
                                                        • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00542D6F
                                                        • LoadIconW.USER32(000000A9), ref: 00542D85
                                                        • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00542D94
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                        • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                        • API String ID: 2914291525-1005189915
                                                        • Opcode ID: e91bb62baca84c8602e3a98b08e44d61e823fe4b296db21be973d7050e06b305
                                                        • Instruction ID: 4d58cfc6e9c1c7aeda977049b2094eb09669d7b3c840b57d671b474b17c3f419
                                                        • Opcode Fuzzy Hash: e91bb62baca84c8602e3a98b08e44d61e823fe4b296db21be973d7050e06b305
                                                        • Instruction Fuzzy Hash: DA21E3B5902209AFDB10DFA4E849BDDBFB9FB09701F04811BF621AA2A0D7B10544DF91
                                                        Function 0058065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 473 58065b-58068b call 58042f 476 58068d-580698 call 56f2c6 473->476 477 5806a6-5806b2 call 575221 473->477 482 58069a-5806a1 call 56f2d9 476->482 483 5806cb-580714 call 58039a 477->483 484 5806b4-5806c9 call 56f2c6 call 56f2d9 477->484 493 58097d-580983 482->493 491 580781-58078a GetFileType 483->491 492 580716-58071f 483->492 484->482 497 58078c-5807bd GetLastError call 56f2a3 CloseHandle 491->497 498 5807d3-5807d6 491->498 495 580721-580725 492->495 496 580756-58077c GetLastError call 56f2a3 492->496 495->496 502 580727-580754 call 58039a 495->502 496->482 497->482 512 5807c3-5807ce call 56f2d9 497->512 500 5807d8-5807dd 498->500 501 5807df-5807e5 498->501 505 5807e9-580837 call 57516a 500->505 501->505 506 5807e7 501->506 502->491 502->496 516 580839-580845 call 5805ab 505->516 517 580847-58086b call 58014d 505->517 506->505 512->482 516->517 522 58086f-580879 call 5786ae 516->522 523 58086d 517->523 524 58087e-5808c1 517->524 522->493 523->522 526 5808e2-5808f0 524->526 527 5808c3-5808c7 524->527 530 58097b 526->530 531 5808f6-5808fa 526->531 527->526 529 5808c9-5808dd 527->529 529->526 530->493 531->530 532 5808fc-58092f CloseHandle call 58039a 531->532 535 580931-58095d GetLastError call 56f2a3 call 575333 532->535 536 580963-580977 532->536 535->536 536->530
                                                        APIs
                                                          • Part of subcall function 0058039A: CreateFileW.KERNELBASE(00000000,00000000,?,00580704,?,?,00000000,?,00580704,00000000,0000000C), ref: 005803B7
                                                        • GetLastError.KERNEL32 ref: 0058076F
                                                        • __dosmaperr.LIBCMT ref: 00580776
                                                        • GetFileType.KERNELBASE(00000000), ref: 00580782
                                                        • GetLastError.KERNEL32 ref: 0058078C
                                                        • __dosmaperr.LIBCMT ref: 00580795
                                                        • CloseHandle.KERNEL32(00000000), ref: 005807B5
                                                        • CloseHandle.KERNEL32(?), ref: 005808FF
                                                        • GetLastError.KERNEL32 ref: 00580931
                                                        • __dosmaperr.LIBCMT ref: 00580938
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                        • String ID: H
                                                        • API String ID: 4237864984-2852464175
                                                        • Opcode ID: a02fa8d95d93f706bd14784a61c16095eeb978658478dec0735b89aff4d135fb
                                                        • Instruction ID: b427b75e6f195fde5d20d44900d94cfa7bf74768f002a27c9a7e08686b65ceb7
                                                        • Opcode Fuzzy Hash: a02fa8d95d93f706bd14784a61c16095eeb978658478dec0735b89aff4d135fb
                                                        • Instruction Fuzzy Hash: 7AA12632A001098FDF19AF68DC56BAD3FA1FB46320F14515AFC15EB2D1DB31985ACB91
                                                        Function 0054344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                          • Part of subcall function 00543A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00611418,?,00542E7F,?,?,?,00000000), ref: 00543A78
                                                          • Part of subcall function 00543357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00543379
                                                        • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0054356A
                                                        • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0058318D
                                                        • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 005831CE
                                                        • RegCloseKey.ADVAPI32(?), ref: 00583210
                                                        • _wcslen.LIBCMT ref: 00583277
                                                        • _wcslen.LIBCMT ref: 00583286
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
                                                        • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                        • API String ID: 98802146-2727554177
                                                        • Opcode ID: 583a911af0db329cc8f244022aff2ccbbc51bc530a7dc187d7c6791370c37201
                                                        • Instruction ID: eb6b7caa47ff137116c203e96338258a2c6ea4f9e8931aec9ddc7fd83f485fe2
                                                        • Opcode Fuzzy Hash: 583a911af0db329cc8f244022aff2ccbbc51bc530a7dc187d7c6791370c37201
                                                        • Instruction Fuzzy Hash: 59718A714043029EC714EF29D89A9EBBFE9FF84744F44982FF49593160EB309A58CB52
                                                        Function 00542B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63windowregistryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • GetSysColorBrush.USER32(0000000F), ref: 00542B8E
                                                        • LoadCursorW.USER32(00000000,00007F00), ref: 00542B9D
                                                        • LoadIconW.USER32(00000063), ref: 00542BB3
                                                        • LoadIconW.USER32(000000A4), ref: 00542BC5
                                                        • LoadIconW.USER32(000000A2), ref: 00542BD7
                                                        • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00542BEF
                                                        • RegisterClassExW.USER32(?), ref: 00542C40
                                                          • Part of subcall function 00542CD4: GetSysColorBrush.USER32(0000000F), ref: 00542D07
                                                          • Part of subcall function 00542CD4: RegisterClassExW.USER32(00000030), ref: 00542D31
                                                          • Part of subcall function 00542CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00542D42
                                                          • Part of subcall function 00542CD4: InitCommonControlsEx.COMCTL32(?), ref: 00542D5F
                                                          • Part of subcall function 00542CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00542D6F
                                                          • Part of subcall function 00542CD4: LoadIconW.USER32(000000A9), ref: 00542D85
                                                          • Part of subcall function 00542CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00542D94
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                        • String ID: #$0$AutoIt v3
                                                        • API String ID: 423443420-4155596026
                                                        • Opcode ID: ec70435e50318d05f183ea7b88d85b9589e075c82918915dc1bd26c3a5877e5e
                                                        • Instruction ID: 734a8a05d1b527eb5e388c22cc6fde8b27ec31a911976e2c23383a51ba4a6097
                                                        • Opcode Fuzzy Hash: ec70435e50318d05f183ea7b88d85b9589e075c82918915dc1bd26c3a5877e5e
                                                        • Instruction Fuzzy Hash: 8D214F70E01314ABDB109F96EC55AD97FB6FB49B50F08901BF610AA6A4D3B11A44DF90
                                                        Function 0054B710 Relevance: 16.3, APIs: 1, Strings: 8, Instructions: 587COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __Init_thread_footer.LIBCMT ref: 0054BB4E
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Init_thread_footer
                                                        • String ID: p#a$p#a$p#a$p#a$p%a$p%a$x#a$x#a
                                                        • API String ID: 1385522511-3617822177
                                                        • Opcode ID: f9550f8fd58b343c635fc0eaba0c585af094ed24fe8888faf2a3cea029951b00
                                                        • Instruction ID: 50019257f5a4ddd8de81d8a18ba9cd55bdb470f0f84c594a70427a464c262206
                                                        • Opcode Fuzzy Hash: f9550f8fd58b343c635fc0eaba0c585af094ed24fe8888faf2a3cea029951b00
                                                        • Instruction Fuzzy Hash: D9329E35A0020A9FEF14CF54C894AFABFBAFF44318F18885AE915AB291C774ED41DB51
                                                        Function 00543170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145windowtimeregistryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 821 543170-543185 822 5431e5-5431e7 821->822 823 543187-54318a 821->823 822->823 824 5431e9 822->824 825 54318c-543193 823->825 826 5431eb 823->826 827 5431d0-5431d8 DefWindowProcW 824->827 830 543265-54326d PostQuitMessage 825->830 831 543199-54319e 825->831 828 582dfb-582e23 call 5418e2 call 55e499 826->828 829 5431f1-5431f6 826->829 832 5431de-5431e4 827->832 867 582e28-582e2f 828->867 834 54321d-543244 SetTimer RegisterWindowMessageW 829->834 835 5431f8-5431fb 829->835 833 543219-54321b 830->833 837 5431a4-5431a8 831->837 838 582e7c-582e90 call 5abf30 831->838 833->832 834->833 842 543246-543251 CreatePopupMenu 834->842 839 582d9c-582d9f 835->839 840 543201-54320f KillTimer call 5430f2 835->840 843 582e68-582e72 call 5ac161 837->843 844 5431ae-5431b3 837->844 838->833 862 582e96 838->862 846 582da1-582da5 839->846 847 582dd7-582df6 MoveWindow 839->847 857 543214 call 543c50 840->857 842->833 858 582e77 843->858 851 582e4d-582e54 844->851 852 5431b9-5431be 844->852 854 582dc6-582dd2 SetFocus 846->854 855 582da7-582daa 846->855 847->833 851->827 856 582e5a-582e63 call 5a0ad7 851->856 860 5431c4-5431ca 852->860 861 543253-543263 call 54326f 852->861 854->833 855->860 863 582db0-582dc1 call 5418e2 855->863 856->827 857->833 858->833 860->827 860->867 861->833 862->827 863->833 867->827 868 582e35-582e48 call 5430f2 call 543837 867->868 868->827
                                                        APIs
                                                        • DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0054316A,?,?), ref: 005431D8
                                                        • KillTimer.USER32(?,00000001,?,?,?,?,?,0054316A,?,?), ref: 00543204
                                                        • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00543227
                                                        • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0054316A,?,?), ref: 00543232
                                                        • CreatePopupMenu.USER32 ref: 00543246
                                                        • PostQuitMessage.USER32(00000000), ref: 00543267
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                        • String ID: TaskbarCreated
                                                        • API String ID: 129472671-2362178303
                                                        • Opcode ID: 73056159672ef7ced61adf698349ff08f9166149592cfa6955a2a99a47b748d0
                                                        • Instruction ID: 725f02d98a31f6ac9eaeb4b244474f576d599accd5e326c104ba7d5591be2a34
                                                        • Opcode Fuzzy Hash: 73056159672ef7ced61adf698349ff08f9166149592cfa6955a2a99a47b748d0
                                                        • Instruction Fuzzy Hash: 00412735204205ABDF242B38DC5DBFD3F1AF746308F08552BFA129A1B5C7B19A40D761
                                                        Function 00541410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 877 541410-541449 878 5824b8-5824b9 DestroyWindow 877->878 879 54144f-541465 mciSendStringW 877->879 882 5824c4-5824d1 878->882 880 5416c6-5416d3 879->880 881 54146b-541473 879->881 884 5416d5-5416f0 UnregisterHotKey 880->884 885 5416f8-5416ff 880->885 881->882 883 541479-541488 call 54182e 881->883 886 582500-582507 882->886 887 5824d3-5824d6 882->887 898 58250e-58251a 883->898 899 54148e-541496 883->899 884->885 889 5416f2-5416f3 call 5410d0 884->889 885->881 890 541705 885->890 886->882 895 582509 886->895 891 5824d8-5824e0 call 546246 887->891 892 5824e2-5824e5 FindClose 887->892 889->885 890->880 897 5824eb-5824f8 891->897 892->897 895->898 897->886 903 5824fa-5824fb call 5b32b1 897->903 900 58251c-58251e FreeLibrary 898->900 901 582524-58252b 898->901 904 54149c-5414c1 call 54cfa0 899->904 905 582532-58253f 899->905 900->901 901->898 906 58252d 901->906 903->886 915 5414c3 904->915 916 5414f8-541503 CoUninitialize 904->916 907 582541-58255e VirtualFree 905->907 908 582566-58256d 905->908 906->905 907->908 911 582560-582561 call 5b3317 907->911 908->905 912 58256f 908->912 911->908 917 582574-582578 912->917 919 5414c6-5414f6 call 541a05 call 5419ae 915->919 916->917 918 541509-54150e 916->918 917->918 922 58257e-582584 917->922 920 541514-54151e 918->920 921 582589-582596 call 5b32eb 918->921 919->916 926 541524-5415a5 call 54988f call 541944 call 5417d5 call 55fe14 call 54177c call 54988f call 54cfa0 call 5417fe call 55fe14 920->926 927 541707-541714 call 55f80e 920->927 933 582598 921->933 922->918 939 58259d-5825bf call 55fdcd 926->939 967 5415ab-5415cf call 55fe14 926->967 927->926 937 54171a 927->937 933->939 937->927 945 5825c1 939->945 948 5825c6-5825e8 call 55fdcd 945->948 955 5825ea 948->955 958 5825ef-582611 call 55fdcd 955->958 963 582613 958->963 966 582618-582625 call 5a64d4 963->966 972 582627 966->972 967->948 973 5415d5-5415f9 call 55fe14 967->973 975 58262c-582639 call 55ac64 972->975 973->958 978 5415ff-541619 call 55fe14 973->978 982 58263b 975->982 978->966 983 54161f-541643 call 5417d5 call 55fe14 978->983 985 582640-58264d call 5b3245 982->985 983->975 992 541649-541651 983->992 990 58264f 985->990 993 582654-582661 call 5b32cc 990->993 992->985 994 541657-541675 call 54988f call 54190a 992->994 999 582663 993->999 994->993 1003 54167b-541689 994->1003 1002 582668-582675 call 5b32cc 999->1002 1009 582677 1002->1009 1003->1002 1005 54168f-5416c5 call 54988f * 3 call 541876 1003->1005 1009->1009
                                                        APIs
                                                        • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00541459
                                                        • CoUninitialize.COMBASE ref: 005414F8
                                                        • UnregisterHotKey.USER32(?), ref: 005416DD
                                                        • DestroyWindow.USER32(?), ref: 005824B9
                                                        • FreeLibrary.KERNEL32(?), ref: 0058251E
                                                        • VirtualFree.KERNEL32(?,00000000,00008000), ref: 0058254B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                        • String ID: close all
                                                        • API String ID: 469580280-3243417748
                                                        • Opcode ID: a605d849a90968f4f31b3fa28c47688fb06585149826130d89031c369cbb479f
                                                        • Instruction ID: 599f53f5a49b1ed51a2a4f7c1cd9de68cb8f8b5d06db02d6e0b741ea4f2182a3
                                                        • Opcode Fuzzy Hash: a605d849a90968f4f31b3fa28c47688fb06585149826130d89031c369cbb479f
                                                        • Instruction Fuzzy Hash: 48D18C307016138FCB29EF15C499AA9FFA4BF45704F1442AEE84A6B262DB30ED56CF54
                                                        Function 00542C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1026 542c63-542cd3 CreateWindowExW * 2 ShowWindow * 2
                                                        APIs
                                                        • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00542C91
                                                        • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00542CB2
                                                        • ShowWindow.USER32(00000000,?,?,?,?,?,?,00541CAD,?), ref: 00542CC6
                                                        • ShowWindow.USER32(00000000,?,?,?,?,?,?,00541CAD,?), ref: 00542CCF
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Window$CreateShow
                                                        • String ID: AutoIt v3$edit
                                                        • API String ID: 1584632944-3779509399
                                                        • Opcode ID: 7c6016bf6f137dbdd7d710830770ab1c1b016ebd9b3f274f38b143aecf96b189
                                                        • Instruction ID: 3b4cf71adcf23ec00b1d6a5718df65c978ddd2b693fd9c4ec5058ca3f8b3ea11
                                                        • Opcode Fuzzy Hash: 7c6016bf6f137dbdd7d710830770ab1c1b016ebd9b3f274f38b143aecf96b189
                                                        • Instruction Fuzzy Hash: 03F0DA755402907BEB311717AC08EB76EBEE7C7F50B04915FFA10EA6A4C6611854EAB0
                                                        Function 005410F3 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 153comCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                          • Part of subcall function 00541BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00541BF4
                                                          • Part of subcall function 00541BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00541BFC
                                                          • Part of subcall function 00541BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00541C07
                                                          • Part of subcall function 00541BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00541C12
                                                          • Part of subcall function 00541BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00541C1A
                                                          • Part of subcall function 00541BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00541C22
                                                          • Part of subcall function 00541B4A: RegisterWindowMessageW.USER32(00000004,?,005412C4), ref: 00541BA2
                                                        • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0054136A
                                                        • OleInitialize.OLE32 ref: 00541388
                                                        • CloseHandle.KERNEL32(00000000,00000000), ref: 005824AB
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                        • String ID: (8$`
                                                        • API String ID: 1986988660-2652067000
                                                        • Opcode ID: 2c4921fded91f756810512cc3e4ffa33807a2c13b112c46fdfc6d14a8d3f42ca
                                                        • Instruction ID: 00c8a5cd9f537961d54aadfc5e94a72e7ae10aaa009faf37375751ff31945888
                                                        • Opcode Fuzzy Hash: 2c4921fded91f756810512cc3e4ffa33807a2c13b112c46fdfc6d14a8d3f42ca
                                                        • Instruction Fuzzy Hash: F671A8F49122068EC784EF7AA8596D53EE3BB8A74471CE22BD60ACF361EB304445CF44
                                                        Function 005AE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1458 5ae97b-5ae986 1459 5ae988 1458->1459 1460 5ae9f9-5ae9fb 1458->1460 1461 5ae98a-5ae98c 1459->1461 1462 5ae98e-5ae991 1459->1462 1463 5ae9f3 Sleep 1461->1463 1464 5ae9f2 1462->1464 1465 5ae993-5ae99f QueryPerformanceCounter 1462->1465 1463->1460 1464->1463 1465->1464 1466 5ae9a1-5ae9a5 QueryPerformanceFrequency 1465->1466 1467 5ae9ab-5ae9ee Sleep QueryPerformanceCounter call 5820b0 1466->1467 1470 5ae9f0 1467->1470 1470->1460
                                                        APIs
                                                        • QueryPerformanceCounter.KERNEL32(?), ref: 005AE997
                                                        • QueryPerformanceFrequency.KERNEL32(?), ref: 005AE9A5
                                                        • Sleep.KERNEL32(00000000), ref: 005AE9AD
                                                        • QueryPerformanceCounter.KERNEL32(?), ref: 005AE9B7
                                                        • Sleep.KERNELBASE ref: 005AE9F3
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: PerformanceQuery$CounterSleep$Frequency
                                                        • String ID:
                                                        • API String ID: 2833360925-0
                                                        • Opcode ID: d827d23c14aee56a0355a84eb7bea8c6f99b8318114f70f1fd4d23258394c8eb
                                                        • Instruction ID: 242d2b69a111e1b3cb1b224a182a021f2aba3afe024061bf690eabc11a8faa64
                                                        • Opcode Fuzzy Hash: d827d23c14aee56a0355a84eb7bea8c6f99b8318114f70f1fd4d23258394c8eb
                                                        • Instruction Fuzzy Hash: 53011731C0262ADBCF10ABE5D85AAEEBF78BB1A701F000556E902B2241CB349559DBA1
                                                        Function 00543B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00543B0F,SwapMouseButtons,00000004,?), ref: 00543B40
                                                        • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00543B0F,SwapMouseButtons,00000004,?), ref: 00543B61
                                                        • RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00543B0F,SwapMouseButtons,00000004,?), ref: 00543B83
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: CloseOpenQueryValue
                                                        • String ID: Control Panel\Mouse
                                                        • API String ID: 3677997916-824357125
                                                        • Opcode ID: 82d8fd3d90b87c280aa4b682dd02efc46cf2f080d2d2e1187d9cac6547a47a91
                                                        • Instruction ID: 3df65d9234c349dbac87fd2fa0bb6f974338dd01a9f62ed542a7c0ae45300fcf
                                                        • Opcode Fuzzy Hash: 82d8fd3d90b87c280aa4b682dd02efc46cf2f080d2d2e1187d9cac6547a47a91
                                                        • Instruction Fuzzy Hash: CB112AB5511208FFDB218FA5DC48AEEBBB8FF04748B10895AA805D7120E2319E44A760
                                                        Function 00543923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 005833A2
                                                          • Part of subcall function 00546B57: _wcslen.LIBCMT ref: 00546B6A
                                                        • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00543A04
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: IconLoadNotifyShell_String_wcslen
                                                        • String ID: Line:
                                                        • API String ID: 2289894680-1585850449
                                                        • Opcode ID: 5943d0e6c64e20ac64d6bb5e0ac927a3f624b3e3379b7a4e61c4e48259f48241
                                                        • Instruction ID: 6f163062b940b39ee2107102e8f59208358f6d869af6fee1d309e7c700525438
                                                        • Opcode Fuzzy Hash: 5943d0e6c64e20ac64d6bb5e0ac927a3f624b3e3379b7a4e61c4e48259f48241
                                                        • Instruction Fuzzy Hash: 7B31C571448305AAD721EF20DC49BDBBBE8BF81718F14492AF599931A1EF709648C7C3
                                                        Function 00542DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetOpenFileNameW.COMDLG32(?), ref: 00582C8C
                                                          • Part of subcall function 00543AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00543A97,?,?,00542E7F,?,?,?,00000000), ref: 00543AC2
                                                          • Part of subcall function 00542DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00542DC4
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Name$Path$FileFullLongOpen
                                                        • String ID: X$`e`
                                                        • API String ID: 779396738-4244537060
                                                        • Opcode ID: 066e1ed0d9693af29485f7795e02fe70d623488a8f2ec1f7eaef4f18d6bc86c4
                                                        • Instruction ID: 9431f676c3e7497c8df4a94f783edc0fa8a6e60759bf68d2b5400f2c4017acf1
                                                        • Opcode Fuzzy Hash: 066e1ed0d9693af29485f7795e02fe70d623488a8f2ec1f7eaef4f18d6bc86c4
                                                        • Instruction Fuzzy Hash: 81215171A002599BDB05AF94C849BEE7FFDAF89318F00805AF505B7281DBB45A498F61
                                                        Function 0055FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00560668
                                                          • Part of subcall function 005632A4: RaiseException.KERNEL32(?,?,?,0056068A,?,00611444,?,?,?,?,?,?,0056068A,00541129,00608738,00541129), ref: 00563304
                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00560685
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Exception@8Throw$ExceptionRaise
                                                        • String ID: Unknown exception
                                                        • API String ID: 3476068407-410509341
                                                        • Opcode ID: dc9d002275af1c049c96e216a22851c64b9ae74af2ca1c6480e62e46769d75f2
                                                        • Instruction ID: e1852ee48f6c58bd47a4ec47ace3c22dcd413c342bb728b627cac55fadb2d591
                                                        • Opcode Fuzzy Hash: dc9d002275af1c049c96e216a22851c64b9ae74af2ca1c6480e62e46769d75f2
                                                        • Instruction Fuzzy Hash: 93F0C23890020E77CF04BAA4DC5AC9F7F7D7E80310B604532B914975D1EF71DA69CA81
                                                        Function 005AC161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00543923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00543A04
                                                        • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 005AC259
                                                        • KillTimer.USER32(?,00000001,?,?), ref: 005AC261
                                                        • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 005AC270
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: IconNotifyShell_Timer$Kill
                                                        • String ID:
                                                        • API String ID: 3500052701-0
                                                        • Opcode ID: 6d4e5e6c2a7e68ec7e75b50721bf66ee99059ef74a5434312bb11a6c54579191
                                                        • Instruction ID: d0e49270ea9ebf0b336efa7355eb56799847c18cf4abad82789296a72b0dbf3b
                                                        • Opcode Fuzzy Hash: 6d4e5e6c2a7e68ec7e75b50721bf66ee99059ef74a5434312bb11a6c54579191
                                                        • Instruction Fuzzy Hash: B831C374904344AFEB328F648855BEBBFEDAF17308F04049ED2DAA7241C3745A88CB51
                                                        Function 005786AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • CloseHandle.KERNELBASE(00000000,00000000,?,?,005785CC,?,00608CC8,0000000C), ref: 00578704
                                                        • GetLastError.KERNEL32(?,005785CC,?,00608CC8,0000000C), ref: 0057870E
                                                        • __dosmaperr.LIBCMT ref: 00578739
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: CloseErrorHandleLast__dosmaperr
                                                        • String ID:
                                                        • API String ID: 2583163307-0
                                                        • Opcode ID: f1a89211920925d5e7f2a36def51c7742aad89a97b6bf5aef72f20cce3cee441
                                                        • Instruction ID: fe32f3aa6e3733957e4e28855d0e0578aba1747f4a6223a381ca3e07709ceec7
                                                        • Opcode Fuzzy Hash: f1a89211920925d5e7f2a36def51c7742aad89a97b6bf5aef72f20cce3cee441
                                                        • Instruction Fuzzy Hash: 44016F32A4512036D6246634784E77E2F467BE1774F39C51AF80C8B1E2DDE19C81B150
                                                        Function 0054DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • TranslateMessage.USER32(?), ref: 0054DB7B
                                                        • DispatchMessageW.USER32(?), ref: 0054DB89
                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0054DB9F
                                                        • Sleep.KERNELBASE(0000000A), ref: 0054DBB1
                                                        • TranslateAcceleratorW.USER32(?,?,?), ref: 00591CC9
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Message$Translate$AcceleratorDispatchPeekSleep
                                                        • String ID:
                                                        • API String ID: 3288985973-0
                                                        • Opcode ID: 852d8342177c5a2abb5ae76a852b7209395c78f3e20873d8ac5fe9fae9f0d6e4
                                                        • Instruction ID: ab016ea30ef6bef5b24df0e5a6d1d898b99685c57fc66018fe9718b69f918e8f
                                                        • Opcode Fuzzy Hash: 852d8342177c5a2abb5ae76a852b7209395c78f3e20873d8ac5fe9fae9f0d6e4
                                                        • Instruction Fuzzy Hash: FAF05E306453429BEB30CB608C49FEA7BB9FB85310F108A1AE61A870C0DB309488DB29
                                                        Function 00551310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __Init_thread_footer.LIBCMT ref: 005517F6
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Init_thread_footer
                                                        • String ID: CALL
                                                        • API String ID: 1385522511-4196123274
                                                        • Opcode ID: 94ef06a56d9865eda48f401c33b1a00ed58f19d585ff165f79a51c6094c3e04f
                                                        • Instruction ID: 186dfbdd3e5e92f6da159874362c42a04f041bb7b9961533dd8eef6743c89e5f
                                                        • Opcode Fuzzy Hash: 94ef06a56d9865eda48f401c33b1a00ed58f19d585ff165f79a51c6094c3e04f
                                                        • Instruction Fuzzy Hash: E3229C706086029FCB14DF14C4A4B2ABFF1BF85315F14891EF8968B3A2D731E949CB96
                                                        Function 005D1EDA Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 166COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00546B57: _wcslen.LIBCMT ref: 00546B6A
                                                        • GetWindowTextW.USER32(?,?,00007FFF), ref: 005D2043
                                                          • Part of subcall function 00549CB3: _wcslen.LIBCMT ref: 00549CBD
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: _wcslen$TextWindow
                                                        • String ID: all
                                                        • API String ID: 4161112387-991457757
                                                        • Opcode ID: d2424ada6c9a9d4836db074e1570aeaa10c8795f6f94c06fb5bf36b7faf3f40b
                                                        • Instruction ID: 8c8b1936f3a7c9c65f83a720ca0b792f4f0ee9a66ae8bcb9b783bf55dfab9f49
                                                        • Opcode Fuzzy Hash: d2424ada6c9a9d4836db074e1570aeaa10c8795f6f94c06fb5bf36b7faf3f40b
                                                        • Instruction Fuzzy Hash: 8E516E71604202AFC714EF24C88AE9ABBE5FF88314F04495EF9599B392DB71ED44CB91
                                                        Function 00543837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00543908
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: IconNotifyShell_
                                                        • String ID:
                                                        • API String ID: 1144537725-0
                                                        • Opcode ID: 5311490a36c136e65b4694fa8d02648f38c473a90500d433b6f43b6746de777d
                                                        • Instruction ID: 0a342d5eb711fac7dad2642a1f644db81b351162fe36916a3dbf3751cf74965b
                                                        • Opcode Fuzzy Hash: 5311490a36c136e65b4694fa8d02648f38c473a90500d433b6f43b6746de777d
                                                        • Instruction Fuzzy Hash: 413171B06057019FD720DF24D8857DBBFE8FB49708F04092EFAA997250E771AA44CB52
                                                        Function 0055F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • timeGetTime.WINMM ref: 0055F661
                                                          • Part of subcall function 0054D730: GetInputState.USER32 ref: 0054D807
                                                        • Sleep.KERNEL32(00000000), ref: 0059F2DE
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: InputSleepStateTimetime
                                                        • String ID:
                                                        • API String ID: 4149333218-0
                                                        • Opcode ID: bf1201545a716a40dd7041a4270dd50505d04121d24c16eac1ffc8d84e51eccb
                                                        • Instruction ID: ff025c79759b868305b998ad33ab4d405fdd6690ac0ea9c6cd492c2f8c0f2fa7
                                                        • Opcode Fuzzy Hash: bf1201545a716a40dd7041a4270dd50505d04121d24c16eac1ffc8d84e51eccb
                                                        • Instruction Fuzzy Hash: 0BF082312402069FD310EF65D549B9ABFE4FF95761F00002AE85DC7260DB70A804CB90
                                                        Function 005D13B7 Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetForegroundWindow.USER32(00000001,?), ref: 005D1420
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: ForegroundWindow
                                                        • String ID:
                                                        • API String ID: 2020703349-0
                                                        • Opcode ID: fbf5fd2fb2ccb03ec3c04040088e17a90a7342ad5a32fbc116b43630a43109d5
                                                        • Instruction ID: 8687da6b0c66eb6d4f944c9c981b3aef60abaa90e87896d8389605a7d43021a7
                                                        • Opcode Fuzzy Hash: fbf5fd2fb2ccb03ec3c04040088e17a90a7342ad5a32fbc116b43630a43109d5
                                                        • Instruction Fuzzy Hash: 8F319130204603AFDB24DF29C495B69BBA1FF85328F04816AE8154B392DB75EC45CBD0
                                                        Function 00544ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00544E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00544EDD,?,00611418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00544E9C
                                                          • Part of subcall function 00544E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00544EAE
                                                          • Part of subcall function 00544E90: FreeLibrary.KERNEL32(00000000,?,?,00544EDD,?,00611418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00544EC0
                                                        • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00611418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00544EFD
                                                          • Part of subcall function 00544E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00583CDE,?,00611418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00544E62
                                                          • Part of subcall function 00544E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00544E74
                                                          • Part of subcall function 00544E59: FreeLibrary.KERNEL32(00000000,?,?,00583CDE,?,00611418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00544E87
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Library$Load$AddressFreeProc
                                                        • String ID:
                                                        • API String ID: 2632591731-0
                                                        • Opcode ID: 19f7948cb3a77d19f6c0207a5bd032067c5ec723196fae8459a044db51fcec12
                                                        • Instruction ID: 5cfe992695e77fadfe44afe4dbbbf5bf949a7c74a5a339466e28cc52fa83f9c0
                                                        • Opcode Fuzzy Hash: 19f7948cb3a77d19f6c0207a5bd032067c5ec723196fae8459a044db51fcec12
                                                        • Instruction Fuzzy Hash: 4D11C831640206AADB24BB64D80ABED7FA5BF90714F10441AF542A62D1EE709A599B50
                                                        Function 005D2658 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ShowWindow.USER32(?,00000000,00000001,?), ref: 005D26E0
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: ShowWindow
                                                        • String ID:
                                                        • API String ID: 1268545403-0
                                                        • Opcode ID: 38f1294c122bc6749d7461e3e48cca6a7b71b4252964f41c8b19782b3a684c8e
                                                        • Instruction ID: 3a1d1219a69c990df285b4f4ebe3b3487489abffd493bb2007d7f5d1f670c33c
                                                        • Opcode Fuzzy Hash: 38f1294c122bc6749d7461e3e48cca6a7b71b4252964f41c8b19782b3a684c8e
                                                        • Instruction Fuzzy Hash: 2E119075204352AFD730DB28C895B2ABFA5FBA5368F14445FE4468B752CB72EC81CB90
                                                        Function 00578402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: __wsopen_s
                                                        • String ID:
                                                        • API String ID: 3347428461-0
                                                        • Opcode ID: 92e7a8c588c732234dadbee9cd7a4f946c47662e2538d78dcefbcf2972ff3b88
                                                        • Instruction ID: 7931c3390c775c47fbb02da2326c6d91a3af06a04281ed25aafc840ea064de58
                                                        • Opcode Fuzzy Hash: 92e7a8c588c732234dadbee9cd7a4f946c47662e2538d78dcefbcf2972ff3b88
                                                        • Instruction Fuzzy Hash: 8011487190410AAFCF05DF58E9459AA7BF5FF48314F148059FC08AB312DA71DA11DBA4
                                                        Function 00575000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00574C7D: RtlAllocateHeap.NTDLL(00000008,00541129,00000000,?,00572E29,00000001,00000364,?,?,?,0056F2DE,00573863,00611444,?,0055FDF5,?), ref: 00574CBE
                                                        • _free.LIBCMT ref: 0057506C
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: AllocateHeap_free
                                                        • String ID:
                                                        • API String ID: 614378929-0
                                                        • Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
                                                        • Instruction ID: 0a05255b91e85912ee79bc76a9a9b751f2e0b83cfae89a79eb81d0fe63e2d5e8
                                                        • Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
                                                        • Instruction Fuzzy Hash: 260126722047096BE3218E65A889A5AFFEDFB89370F65451DE19883280EA70AC05C6B4
                                                        Function 005D29BF Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetForegroundWindow.USER32(00000000,?,?,?,005D14B5,?), ref: 005D2A01
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: ForegroundWindow
                                                        • String ID:
                                                        • API String ID: 2020703349-0
                                                        • Opcode ID: c3fdf2ae88726de4bf35b86e3c0a127ea6277f93846a5552bee29ee2f980f1a9
                                                        • Instruction ID: 81d5fb1efd9452fa6ca687c8622664c8cfe03096ac6962ce9d6081922db60642
                                                        • Opcode Fuzzy Hash: c3fdf2ae88726de4bf35b86e3c0a127ea6277f93846a5552bee29ee2f980f1a9
                                                        • Instruction Fuzzy Hash: 04019E36304A429FD3358B2DC454B223B92FBE5314F69846BC0478B355DB72EC82CBA0
                                                        Function 0056E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                                                        • Instruction ID: 1c07a3e5523d589e43ba5ec56a055ff110f22feac4147aa3b604a1fea1c401ee
                                                        • Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                                                        • Instruction Fuzzy Hash: 7BF02D36912A159AD7313A75FC0EB573F98BFD2330F104B15F428931D1CB70D8429AA6
                                                        Function 00574C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • RtlAllocateHeap.NTDLL(00000008,00541129,00000000,?,00572E29,00000001,00000364,?,?,?,0056F2DE,00573863,00611444,?,0055FDF5,?), ref: 00574CBE
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: AllocateHeap
                                                        • String ID:
                                                        • API String ID: 1279760036-0
                                                        • Opcode ID: c7f06950ce3a10bdab7eec878f72aa7a8a33221d6fbc29250d95ca8044582d80
                                                        • Instruction ID: c356a84e1e3412d205a0b0d1fd80f40f756ef6446ea0b00f5a5e51110c5426fb
                                                        • Opcode Fuzzy Hash: c7f06950ce3a10bdab7eec878f72aa7a8a33221d6fbc29250d95ca8044582d80
                                                        • Instruction Fuzzy Hash: E1F0BB3160212566DB225F61BC09B5A7F4CBF81760B19C522B91D97185CB30DC00AE90
                                                        Function 00573820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • RtlAllocateHeap.NTDLL(00000000,?,00611444,?,0055FDF5,?,?,0054A976,00000010,00611440,005413FC,?,005413C6,?,00541129), ref: 00573852
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: AllocateHeap
                                                        • String ID:
                                                        • API String ID: 1279760036-0
                                                        • Opcode ID: d6b82ac25f9b18887d85944793eedc96230d64c6292167ca9d8b360b065e1fa4
                                                        • Instruction ID: defe81f782f898059d376b0c79599c64bbacb4776c6360bab302c5e281816dbe
                                                        • Opcode Fuzzy Hash: d6b82ac25f9b18887d85944793eedc96230d64c6292167ca9d8b360b065e1fa4
                                                        • Instruction Fuzzy Hash: 75E0E53110322696D7312A67BC14F9A7F49BB827B0F058122BC1C97581CB31DD01B6E3
                                                        Function 00544F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FreeLibrary.KERNEL32(?,?,00611418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00544F6D
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: FreeLibrary
                                                        • String ID:
                                                        • API String ID: 3664257935-0
                                                        • Opcode ID: 3f95a45ff9d88ebad95434ae80d17d7e407806a6b17b8afd0b79187c2b04a3c2
                                                        • Instruction ID: 72a640fd6a226c295b6d41e53b0b9e2ce7761ecd1de24c1356febbd2b3540d0d
                                                        • Opcode Fuzzy Hash: 3f95a45ff9d88ebad95434ae80d17d7e407806a6b17b8afd0b79187c2b04a3c2
                                                        • Instruction Fuzzy Hash: 06F01C71145752EFDB349F64D494952BFE4BF14319310896EE1EA83621C7319848DF10
                                                        Function 005D2A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • IsWindow.USER32(00000000), ref: 005D2A66
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Window
                                                        • String ID:
                                                        • API String ID: 2353593579-0
                                                        • Opcode ID: 9da294c6d5b5347e8f6e6684f1931441a4689ef692febcb807ebead9705d4f80
                                                        • Instruction ID: 7ba3fff5a0082e15649da21f2ab31f8a889fe450dc608f287ac2054af7b07394
                                                        • Opcode Fuzzy Hash: 9da294c6d5b5347e8f6e6684f1931441a4689ef692febcb807ebead9705d4f80
                                                        • Instruction Fuzzy Hash: 4FE01A36250116AAC764AA34D8848FEAB5CFBA5395B104937A816C2210EA609995D6A0
                                                        Function 005430F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Shell_NotifyIconW.SHELL32(00000002,?), ref: 0054314E
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: IconNotifyShell_
                                                        • String ID:
                                                        • API String ID: 1144537725-0
                                                        • Opcode ID: 612a1f4bfe5f618cf610e5bc10efe032f48bed63192a73bde77dff0ffb3339ac
                                                        • Instruction ID: 0f6a6988ae5553bd91b5cd6ed5746f398fa2788df149df60b9dd6b15f7b53e73
                                                        • Opcode Fuzzy Hash: 612a1f4bfe5f618cf610e5bc10efe032f48bed63192a73bde77dff0ffb3339ac
                                                        • Instruction Fuzzy Hash: A1F0A7709003589FEB529B24DC497D97BBCB70170CF0401E6A24897295D7704788CF41
                                                        Function 00542DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00542DC4
                                                          • Part of subcall function 00546B57: _wcslen.LIBCMT ref: 00546B6A
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: LongNamePath_wcslen
                                                        • String ID:
                                                        • API String ID: 541455249-0
                                                        • Opcode ID: c54efac8c2eecf62194e444ef2484a225272c52ae271957087dbdef7c83f9661
                                                        • Instruction ID: 4dc97417d866dd123b876bfb583b744f43da96b10aecfea2bd8bfd72164b9874
                                                        • Opcode Fuzzy Hash: c54efac8c2eecf62194e444ef2484a225272c52ae271957087dbdef7c83f9661
                                                        • Instruction Fuzzy Hash: 08E0CD766001255BCB20A2589C09FDA7BDDEFC8794F040072FD09E7248D960AD84C655
                                                        Function 00542B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00543837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00543908
                                                          • Part of subcall function 0054D730: GetInputState.USER32 ref: 0054D807
                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00542B6B
                                                          • Part of subcall function 005430F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0054314E
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: IconNotifyShell_$CurrentDirectoryInputState
                                                        • String ID:
                                                        • API String ID: 3667716007-0
                                                        • Opcode ID: 882f46649affdb39c445e77de4ef1c2df5d1e03ebe6d34a1a4bf7b4fc01bf3dd
                                                        • Instruction ID: 8629bcd48f75e88a550becc49c7d7213666d7f9ef389284673a4f5866bc0b98c
                                                        • Opcode Fuzzy Hash: 882f46649affdb39c445e77de4ef1c2df5d1e03ebe6d34a1a4bf7b4fc01bf3dd
                                                        • Instruction Fuzzy Hash: B9E0263130020603CB04BB34981A5EDBF9AFBE235DF44153FF14287173CE6146898311
                                                        Function 0058039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateFileW.KERNELBASE(00000000,00000000,?,00580704,?,?,00000000,?,00580704,00000000,0000000C), ref: 005803B7
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: CreateFile
                                                        • String ID:
                                                        • API String ID: 823142352-0
                                                        • Opcode ID: c1773c59d315bc10c9f5127b5ec6cebfae7e95f201e4e9c97b361fc7031afea9
                                                        • Instruction ID: fc2320c71e7f05fecdf3642cc5fe9cf2afe8ce949ad842c2e7bf025ce528d232
                                                        • Opcode Fuzzy Hash: c1773c59d315bc10c9f5127b5ec6cebfae7e95f201e4e9c97b361fc7031afea9
                                                        • Instruction Fuzzy Hash: 5AD06C3204010DBBDF128F84DD06EDA3FAAFB48714F014001BE1856120C732E821EB90
                                                        Function 00541CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00541CBC
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: InfoParametersSystem
                                                        • String ID:
                                                        • API String ID: 3098949447-0
                                                        • Opcode ID: af1bb1a948cb9b0fec9de18de11091df806f400eea734f4eb68cd3b4b575cf9c
                                                        • Instruction ID: 97b1f9702207b6b5867db3646efe6c66c11462aeec5a86777c1150cc108d03ed
                                                        • Opcode Fuzzy Hash: af1bb1a948cb9b0fec9de18de11091df806f400eea734f4eb68cd3b4b575cf9c
                                                        • Instruction Fuzzy Hash: 83C09B352803059FF7144780BC5AF507B56E358B00F08D103F709595E3C3A11430E750

                                                        Non-executed Functions

                                                        Function 005D9576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00559BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00559BB2
                                                        • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 005D961A
                                                        • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 005D965B
                                                        • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 005D969F
                                                        • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 005D96C9
                                                        • SendMessageW.USER32 ref: 005D96F2
                                                        • GetKeyState.USER32(00000011), ref: 005D978B
                                                        • GetKeyState.USER32(00000009), ref: 005D9798
                                                        • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 005D97AE
                                                        • GetKeyState.USER32(00000010), ref: 005D97B8
                                                        • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 005D97E9
                                                        • SendMessageW.USER32 ref: 005D9810
                                                        • SendMessageW.USER32(?,00001030,?,005D7E95), ref: 005D9918
                                                        • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 005D992E
                                                        • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 005D9941
                                                        • SetCapture.USER32(?), ref: 005D994A
                                                        • ClientToScreen.USER32(?,?), ref: 005D99AF
                                                        • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 005D99BC
                                                        • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 005D99D6
                                                        • ReleaseCapture.USER32 ref: 005D99E1
                                                        • GetCursorPos.USER32(?), ref: 005D9A19
                                                        • ScreenToClient.USER32(?,?), ref: 005D9A26
                                                        • SendMessageW.USER32(?,00001012,00000000,?), ref: 005D9A80
                                                        • SendMessageW.USER32 ref: 005D9AAE
                                                        • SendMessageW.USER32(?,00001111,00000000,?), ref: 005D9AEB
                                                        • SendMessageW.USER32 ref: 005D9B1A
                                                        • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 005D9B3B
                                                        • SendMessageW.USER32(?,0000110B,00000009,?), ref: 005D9B4A
                                                        • GetCursorPos.USER32(?), ref: 005D9B68
                                                        • ScreenToClient.USER32(?,?), ref: 005D9B75
                                                        • GetParent.USER32(?), ref: 005D9B93
                                                        • SendMessageW.USER32(?,00001012,00000000,?), ref: 005D9BFA
                                                        • SendMessageW.USER32 ref: 005D9C2B
                                                        • ClientToScreen.USER32(?,?), ref: 005D9C84
                                                        • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 005D9CB4
                                                        • SendMessageW.USER32(?,00001111,00000000,?), ref: 005D9CDE
                                                        • SendMessageW.USER32 ref: 005D9D01
                                                        • ClientToScreen.USER32(?,?), ref: 005D9D4E
                                                        • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 005D9D82
                                                          • Part of subcall function 00559944: GetWindowLongW.USER32(?,000000EB), ref: 00559952
                                                        • GetWindowLongW.USER32(?,000000F0), ref: 005D9E05
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
                                                        • String ID: @GUI_DRAGID$F$p#a
                                                        • API String ID: 3429851547-3518813251
                                                        • Opcode ID: 8588b6a37cb89852f22b1e56878bc4d470110d4aa847397c70b452a68ea96e1b
                                                        • Instruction ID: aab5ad36cc959ba649a86467305b6d514c3839abe81f449b345c573b08982532
                                                        • Opcode Fuzzy Hash: 8588b6a37cb89852f22b1e56878bc4d470110d4aa847397c70b452a68ea96e1b
                                                        • Instruction Fuzzy Hash: 89426874205241AFDB34CF28C848AAABFE5FF89310F144A1BF6999B3A1D731E854DB51
                                                        Function 005D4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 005D48F3
                                                        • SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 005D4908
                                                        • SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 005D4927
                                                        • SendMessageW.USER32(?,00000148,00000000,00000000), ref: 005D494B
                                                        • SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 005D495C
                                                        • SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 005D497B
                                                        • SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 005D49AE
                                                        • SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 005D49D4
                                                        • SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 005D4A0F
                                                        • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 005D4A56
                                                        • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 005D4A7E
                                                        • IsMenu.USER32(?), ref: 005D4A97
                                                        • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 005D4AF2
                                                        • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 005D4B20
                                                        • GetWindowLongW.USER32(?,000000F0), ref: 005D4B94
                                                        • SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 005D4BE3
                                                        • SendMessageW.USER32(00000000,00001001,00000000,?), ref: 005D4C82
                                                        • wsprintfW.USER32 ref: 005D4CAE
                                                        • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 005D4CC9
                                                        • GetWindowTextW.USER32(?,00000000,00000001), ref: 005D4CF1
                                                        • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 005D4D13
                                                        • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 005D4D33
                                                        • GetWindowTextW.USER32(?,00000000,00000001), ref: 005D4D5A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
                                                        • String ID: %d/%02d/%02d
                                                        • API String ID: 4054740463-328681919
                                                        • Opcode ID: a0a1ad12fe1a173a3a91ea63ffd6ed0e674033179c4f694c992c563e386e244e
                                                        • Instruction ID: ccd8d28feda5bf24d07c785689808bde1f40959bc12544da3ebd48c7c499deaf
                                                        • Opcode Fuzzy Hash: a0a1ad12fe1a173a3a91ea63ffd6ed0e674033179c4f694c992c563e386e244e
                                                        • Instruction Fuzzy Hash: 2912CC71600216ABEB349F28CC49FAE7FA8FF85710F10452BF916EA2A1DB749945CF50
                                                        Function 005A1201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 005A16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 005A170D
                                                          • Part of subcall function 005A16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 005A173A
                                                          • Part of subcall function 005A16C3: GetLastError.KERNEL32 ref: 005A174A
                                                        • LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 005A1286
                                                        • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 005A12A8
                                                        • CloseHandle.KERNEL32(?), ref: 005A12B9
                                                        • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 005A12D1
                                                        • GetProcessWindowStation.USER32 ref: 005A12EA
                                                        • SetProcessWindowStation.USER32(00000000), ref: 005A12F4
                                                        • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 005A1310
                                                          • Part of subcall function 005A10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,005A11FC), ref: 005A10D4
                                                          • Part of subcall function 005A10BF: CloseHandle.KERNEL32(?,?,005A11FC), ref: 005A10E9
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
                                                        • String ID: $default$winsta0$Z`
                                                        • API String ID: 22674027-3195565764
                                                        • Opcode ID: 56967c076f9defe5d5439572b3da52f27a01505594a9d339c9c2eb00870aaa48
                                                        • Instruction ID: c742443702ab4726f05b1a689d526e43077eaca7427fd5a84c98e5efc23c462b
                                                        • Opcode Fuzzy Hash: 56967c076f9defe5d5439572b3da52f27a01505594a9d339c9c2eb00870aaa48
                                                        • Instruction Fuzzy Hash: F3819C7190060AAFDF219FA8DC49FEE7FB9FF09704F14412AFA11A61A0D7318948DB24
                                                        Function 005A0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 005A10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 005A1114
                                                          • Part of subcall function 005A10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,005A0B9B,?,?,?), ref: 005A1120
                                                          • Part of subcall function 005A10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,005A0B9B,?,?,?), ref: 005A112F
                                                          • Part of subcall function 005A10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,005A0B9B,?,?,?), ref: 005A1136
                                                          • Part of subcall function 005A10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 005A114D
                                                        • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 005A0BCC
                                                        • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 005A0C00
                                                        • GetLengthSid.ADVAPI32(?), ref: 005A0C17
                                                        • GetAce.ADVAPI32(?,00000000,?), ref: 005A0C51
                                                        • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 005A0C6D
                                                        • GetLengthSid.ADVAPI32(?), ref: 005A0C84
                                                        • GetProcessHeap.KERNEL32(00000008,00000008), ref: 005A0C8C
                                                        • HeapAlloc.KERNEL32(00000000), ref: 005A0C93
                                                        • GetLengthSid.ADVAPI32(?,00000008,?), ref: 005A0CB4
                                                        • CopySid.ADVAPI32(00000000), ref: 005A0CBB
                                                        • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 005A0CEA
                                                        • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 005A0D0C
                                                        • SetUserObjectSecurity.USER32(?,00000004,?), ref: 005A0D1E
                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 005A0D45
                                                        • HeapFree.KERNEL32(00000000), ref: 005A0D4C
                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 005A0D55
                                                        • HeapFree.KERNEL32(00000000), ref: 005A0D5C
                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 005A0D65
                                                        • HeapFree.KERNEL32(00000000), ref: 005A0D6C
                                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 005A0D78
                                                        • HeapFree.KERNEL32(00000000), ref: 005A0D7F
                                                          • Part of subcall function 005A1193: GetProcessHeap.KERNEL32(00000008,005A0BB1,?,00000000,?,005A0BB1,?), ref: 005A11A1
                                                          • Part of subcall function 005A1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,005A0BB1,?), ref: 005A11A8
                                                          • Part of subcall function 005A1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,005A0BB1,?), ref: 005A11B7
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                        • String ID:
                                                        • API String ID: 4175595110-0
                                                        • Opcode ID: f97cdc7f11abb77eb7aeb83d0b5b78307bc5d71558d00687a100959619edcaa0
                                                        • Instruction ID: f4282bfbf67efa0e389e1a6a6d17cf6f23b8f76c0b661a63446afbf4a1961a91
                                                        • Opcode Fuzzy Hash: f97cdc7f11abb77eb7aeb83d0b5b78307bc5d71558d00687a100959619edcaa0
                                                        • Instruction Fuzzy Hash: 26716C7290121AEBDF20DFE4DC48BAEBFB8BF15310F044616E915A7291D771A909CBA0
                                                        Function 005BEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • OpenClipboard.USER32(005DCC08), ref: 005BEB29
                                                        • IsClipboardFormatAvailable.USER32(0000000D), ref: 005BEB37
                                                        • GetClipboardData.USER32(0000000D), ref: 005BEB43
                                                        • CloseClipboard.USER32 ref: 005BEB4F
                                                        • GlobalLock.KERNEL32(00000000), ref: 005BEB87
                                                        • CloseClipboard.USER32 ref: 005BEB91
                                                        • GlobalUnlock.KERNEL32(00000000), ref: 005BEBBC
                                                        • IsClipboardFormatAvailable.USER32(00000001), ref: 005BEBC9
                                                        • GetClipboardData.USER32(00000001), ref: 005BEBD1
                                                        • GlobalLock.KERNEL32(00000000), ref: 005BEBE2
                                                        • GlobalUnlock.KERNEL32(00000000), ref: 005BEC22
                                                        • IsClipboardFormatAvailable.USER32(0000000F), ref: 005BEC38
                                                        • GetClipboardData.USER32(0000000F), ref: 005BEC44
                                                        • GlobalLock.KERNEL32(00000000), ref: 005BEC55
                                                        • DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 005BEC77
                                                        • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 005BEC94
                                                        • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 005BECD2
                                                        • GlobalUnlock.KERNEL32(00000000), ref: 005BECF3
                                                        • CountClipboardFormats.USER32 ref: 005BED14
                                                        • CloseClipboard.USER32 ref: 005BED59
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
                                                        • String ID:
                                                        • API String ID: 420908878-0
                                                        • Opcode ID: ea233e7d9671f6874acb1b5bb8f006582bae9b3b2e68f71bb030b1998d4645ce
                                                        • Instruction ID: fba7efea78eec0d704bf540e9f4093a576973051f9f718f5ad4feda46932f137
                                                        • Opcode Fuzzy Hash: ea233e7d9671f6874acb1b5bb8f006582bae9b3b2e68f71bb030b1998d4645ce
                                                        • Instruction Fuzzy Hash: FE61C2352042029FD310EF24D88AFEA7FA4BF95714F18451EF456972A2CB71ED09DB62
                                                        Function 005B698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindFirstFileW.KERNEL32(?,?), ref: 005B69BE
                                                        • FindClose.KERNEL32(00000000), ref: 005B6A12
                                                        • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 005B6A4E
                                                        • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 005B6A75
                                                          • Part of subcall function 00549CB3: _wcslen.LIBCMT ref: 00549CBD
                                                        • FileTimeToSystemTime.KERNEL32(?,?), ref: 005B6AB2
                                                        • FileTimeToSystemTime.KERNEL32(?,?), ref: 005B6ADF
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
                                                        • String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
                                                        • API String ID: 3830820486-3289030164
                                                        • Opcode ID: 83e6a4a8e5705657ff822866b06d8d9a741350818607d35f5e37cc352f075323
                                                        • Instruction ID: c438a56edb57c264c924ae0ad2a095c72eb95d70ebd8b828bd1c1d6f5d3b48c8
                                                        • Opcode Fuzzy Hash: 83e6a4a8e5705657ff822866b06d8d9a741350818607d35f5e37cc352f075323
                                                        • Instruction Fuzzy Hash: 87D14071508301AEC714EBA4C89AEEFBBECBFC8704F444919F585D6191EB34DA48CB62
                                                        Function 005B9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 005B9663
                                                        • GetFileAttributesW.KERNEL32(?), ref: 005B96A1
                                                        • SetFileAttributesW.KERNEL32(?,?), ref: 005B96BB
                                                        • FindNextFileW.KERNEL32(00000000,?), ref: 005B96D3
                                                        • FindClose.KERNEL32(00000000), ref: 005B96DE
                                                        • FindFirstFileW.KERNEL32(*.*,?), ref: 005B96FA
                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 005B974A
                                                        • SetCurrentDirectoryW.KERNEL32(00606B7C), ref: 005B9768
                                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 005B9772
                                                        • FindClose.KERNEL32(00000000), ref: 005B977F
                                                        • FindClose.KERNEL32(00000000), ref: 005B978F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                                        • String ID: *.*
                                                        • API String ID: 1409584000-438819550
                                                        • Opcode ID: 21c3bb90964c1dfbaa994a5e2bc11cf00ceb383cfb1df85c21a9f8a91994b2c6
                                                        • Instruction ID: 3e68949527c61de7d94c13f846137840d96e3ffdaf286dbebe5d7bc6735900ca
                                                        • Opcode Fuzzy Hash: 21c3bb90964c1dfbaa994a5e2bc11cf00ceb383cfb1df85c21a9f8a91994b2c6
                                                        • Instruction Fuzzy Hash: F431B07654121A6ADB24AFB4DC49ADE7FACFF4A320F104157FA15E21A0EB30ED84DA50
                                                        Function 005B979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 005B97BE
                                                        • FindNextFileW.KERNEL32(00000000,?), ref: 005B9819
                                                        • FindClose.KERNEL32(00000000), ref: 005B9824
                                                        • FindFirstFileW.KERNEL32(*.*,?), ref: 005B9840
                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 005B9890
                                                        • SetCurrentDirectoryW.KERNEL32(00606B7C), ref: 005B98AE
                                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 005B98B8
                                                        • FindClose.KERNEL32(00000000), ref: 005B98C5
                                                        • FindClose.KERNEL32(00000000), ref: 005B98D5
                                                          • Part of subcall function 005ADAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 005ADB00
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                                        • String ID: *.*
                                                        • API String ID: 2640511053-438819550
                                                        • Opcode ID: 256236958fde0f3f6b843a1a8dc42f8139e707d8c829b3790814ee222ec723fc
                                                        • Instruction ID: 1ccda09727d0314630ac36e18caa2f2b361373e4835129c83639743096f14e80
                                                        • Opcode Fuzzy Hash: 256236958fde0f3f6b843a1a8dc42f8139e707d8c829b3790814ee222ec723fc
                                                        • Instruction Fuzzy Hash: DF31E33154121A6ADF20AFB4DC48ADE7FBCBF46320F104156FA54A21E0DB31ED89DB60
                                                        Function 005CBE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 005CC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,005CB6AE,?,?), ref: 005CC9B5
                                                          • Part of subcall function 005CC998: _wcslen.LIBCMT ref: 005CC9F1
                                                          • Part of subcall function 005CC998: _wcslen.LIBCMT ref: 005CCA68
                                                          • Part of subcall function 005CC998: _wcslen.LIBCMT ref: 005CCA9E
                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 005CBF3E
                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 005CBFA9
                                                        • RegCloseKey.ADVAPI32(00000000), ref: 005CBFCD
                                                        • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 005CC02C
                                                        • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 005CC0E7
                                                        • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 005CC154
                                                        • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 005CC1E9
                                                        • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 005CC23A
                                                        • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 005CC2E3
                                                        • RegCloseKey.ADVAPI32(?,?,00000000), ref: 005CC382
                                                        • RegCloseKey.ADVAPI32(00000000), ref: 005CC38F
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
                                                        • String ID:
                                                        • API String ID: 3102970594-0
                                                        • Opcode ID: c6461bd9cd71ee9f9aaebc0bd5e251a37271fbb26e945f1c496fd496845c4f31
                                                        • Instruction ID: 272c6374e45c1f872e2a70b12600d8499b9f9d7c2ba68ffbcc1f32eabe100dc8
                                                        • Opcode Fuzzy Hash: c6461bd9cd71ee9f9aaebc0bd5e251a37271fbb26e945f1c496fd496845c4f31
                                                        • Instruction Fuzzy Hash: 23023971604241AFD714CF68C895F2ABFE5BF89318F18889DE84ADB2A2D731EC45CB51
                                                        Function 005B8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLocalTime.KERNEL32(?), ref: 005B8257
                                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 005B8267
                                                        • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 005B8273
                                                        • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 005B8310
                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 005B8324
                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 005B8356
                                                        • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 005B838C
                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 005B8395
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: CurrentDirectoryTime$File$Local$System
                                                        • String ID: *.*
                                                        • API String ID: 1464919966-438819550
                                                        • Opcode ID: c3a482766bda30b6acab8b4a4421c3b6b4b7b3b37bb2c882e770a62e95283952
                                                        • Instruction ID: e884ffe57b6c70b5b33f5a92623044f3128572451ffa83fde283fdfe0358d9ee
                                                        • Opcode Fuzzy Hash: c3a482766bda30b6acab8b4a4421c3b6b4b7b3b37bb2c882e770a62e95283952
                                                        • Instruction Fuzzy Hash: 756157765043469FCB10EF64C8449EEBBECFF89314F04891AF99987251EB31E949CB92
                                                        Function 005AD076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00543AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00543A97,?,?,00542E7F,?,?,?,00000000), ref: 00543AC2
                                                          • Part of subcall function 005AE199: GetFileAttributesW.KERNEL32(?,005ACF95), ref: 005AE19A
                                                        • FindFirstFileW.KERNEL32(?,?), ref: 005AD122
                                                        • DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 005AD1DD
                                                        • MoveFileW.KERNEL32(?,?), ref: 005AD1F0
                                                        • DeleteFileW.KERNEL32(?,?,?,?), ref: 005AD20D
                                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 005AD237
                                                          • Part of subcall function 005AD29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,005AD21C,?,?), ref: 005AD2B2
                                                        • FindClose.KERNEL32(00000000,?,?,?), ref: 005AD253
                                                        • FindClose.KERNEL32(00000000), ref: 005AD264
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
                                                        • String ID: \*.*
                                                        • API String ID: 1946585618-1173974218
                                                        • Opcode ID: 2592b7ea8805be2d5a260c67aa2d424135e16ff610cf7516e8b7a5c27f884842
                                                        • Instruction ID: 946af1ecf38dd4b88f4c87630e5cb47894e08877e5bfd7914e79ada777df4443
                                                        • Opcode Fuzzy Hash: 2592b7ea8805be2d5a260c67aa2d424135e16ff610cf7516e8b7a5c27f884842
                                                        • Instruction Fuzzy Hash: 32616D3580110E9ACF15FBE0C996AEDBFB5BF96304F204165E402771A2EB315F09DB60
                                                        Function 005BED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                        • String ID:
                                                        • API String ID: 1737998785-0
                                                        • Opcode ID: 4f92a22ca4a12e01f142cd0a59c3a496c886033db9ff0cc1c4167d5832ba0b89
                                                        • Instruction ID: a08a5b1591fcd8d714948e68aa466e8cd518130bfdbc8796cd501bc375a0344a
                                                        • Opcode Fuzzy Hash: 4f92a22ca4a12e01f142cd0a59c3a496c886033db9ff0cc1c4167d5832ba0b89
                                                        • Instruction Fuzzy Hash: B441AB35205612AFE720CF19D88AB99BFA9FF44318F18C49AE4158B762C775FC45CB90
                                                        Function 005AE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 005A16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 005A170D
                                                          • Part of subcall function 005A16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 005A173A
                                                          • Part of subcall function 005A16C3: GetLastError.KERNEL32 ref: 005A174A
                                                        • ExitWindowsEx.USER32(?,00000000), ref: 005AE932
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                        • String ID: $ $@$SeShutdownPrivilege
                                                        • API String ID: 2234035333-3163812486
                                                        • Opcode ID: 5ec8e3a15462aed3bb684104b126439f8abec6c67bb554e8d333b48ba338300a
                                                        • Instruction ID: f0d7683d52ae2b1b3250d3efbedaef0c0d72a2d310e6790770aeeb643bf85fc9
                                                        • Opcode Fuzzy Hash: 5ec8e3a15462aed3bb684104b126439f8abec6c67bb554e8d333b48ba338300a
                                                        • Instruction Fuzzy Hash: 8C01D672610312AFEB6466B49C8BBBF7A5CBB16750F154922F803E21D1D5A05C4491A4
                                                        Function 005C1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 005C1276
                                                        • WSAGetLastError.WSOCK32 ref: 005C1283
                                                        • bind.WSOCK32(00000000,?,00000010), ref: 005C12BA
                                                        • WSAGetLastError.WSOCK32 ref: 005C12C5
                                                        • closesocket.WSOCK32(00000000), ref: 005C12F4
                                                        • listen.WSOCK32(00000000,00000005), ref: 005C1303
                                                        • WSAGetLastError.WSOCK32 ref: 005C130D
                                                        • closesocket.WSOCK32(00000000), ref: 005C133C
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast$closesocket$bindlistensocket
                                                        • String ID:
                                                        • API String ID: 540024437-0
                                                        • Opcode ID: 49d5f6f604f942e3e1c5db293daad390baecb57ee00365722ab131480a93efdd
                                                        • Instruction ID: e59ac5e773cdc14bad21b52a3f15416e02fe81dd2322372b7ce445a97532b27a
                                                        • Opcode Fuzzy Hash: 49d5f6f604f942e3e1c5db293daad390baecb57ee00365722ab131480a93efdd
                                                        • Instruction Fuzzy Hash: FF416A39A005419FD720DF64C488F69BFE6BB86318F18858DE8568F293C771EC85CBA0
                                                        Function 0057B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • _free.LIBCMT ref: 0057B9D4
                                                        • _free.LIBCMT ref: 0057B9F8
                                                        • _free.LIBCMT ref: 0057BB7F
                                                        • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,005E3700), ref: 0057BB91
                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,0061121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0057BC09
                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00611270,000000FF,?,0000003F,00000000,?), ref: 0057BC36
                                                        • _free.LIBCMT ref: 0057BD4B
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                        • String ID:
                                                        • API String ID: 314583886-0
                                                        • Opcode ID: 221244c6b50bdd3339bbe98842bff156142aeae657451e7d2f3a55f2a608ad9a
                                                        • Instruction ID: f38e22dd08f03afa99fe87d5090fcdbe30f55d87770c96a527a65265155427c7
                                                        • Opcode Fuzzy Hash: 221244c6b50bdd3339bbe98842bff156142aeae657451e7d2f3a55f2a608ad9a
                                                        • Instruction Fuzzy Hash: 6AC129719042069FEB20AF79A845BAA7FB9FF81310F18C55AE95CDB251E7308E41E750
                                                        Function 005AD3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00543AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00543A97,?,?,00542E7F,?,?,?,00000000), ref: 00543AC2
                                                          • Part of subcall function 005AE199: GetFileAttributesW.KERNEL32(?,005ACF95), ref: 005AE19A
                                                        • FindFirstFileW.KERNEL32(?,?), ref: 005AD420
                                                        • DeleteFileW.KERNEL32(?,?,?,?), ref: 005AD470
                                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 005AD481
                                                        • FindClose.KERNEL32(00000000), ref: 005AD498
                                                        • FindClose.KERNEL32(00000000), ref: 005AD4A1
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                        • String ID: \*.*
                                                        • API String ID: 2649000838-1173974218
                                                        • Opcode ID: fbac5b6b8ff4a75990b13a182223859636582c5e0b2e161b5cde87039e507247
                                                        • Instruction ID: 2615373316e6e2ec44ae6dc0bf681ee0007adf6249648da8bbc9144cab60a0fd
                                                        • Opcode Fuzzy Hash: fbac5b6b8ff4a75990b13a182223859636582c5e0b2e161b5cde87039e507247
                                                        • Instruction Fuzzy Hash: AC315E710093469BC714EF64D85A8EF7FA8BED6304F444E1EF4D2531A1EB70AA09D762
                                                        Function 0057E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: __floor_pentium4
                                                        • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                        • API String ID: 4168288129-2761157908
                                                        • Opcode ID: bbd555887714d38ad3ab0ea16aaa872ef711dd0908ac0df53c79ea1fcd6737f5
                                                        • Instruction ID: e7dd6a429354f0d30bfe86fcf718b3c49afd5bd89c6ea845d14bd1604aa09fd6
                                                        • Opcode Fuzzy Hash: bbd555887714d38ad3ab0ea16aaa872ef711dd0908ac0df53c79ea1fcd6737f5
                                                        • Instruction Fuzzy Hash: C2C25B71E086298FDB25CE28ED457EABBB5FB48304F1485EAD44DE7240E774AE819F40
                                                        Function 005B648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _wcslen.LIBCMT ref: 005B64DC
                                                        • CoInitialize.OLE32(00000000), ref: 005B6639
                                                        • CoCreateInstance.OLE32(005DFCF8,00000000,00000001,005DFB68,?), ref: 005B6650
                                                        • CoUninitialize.OLE32 ref: 005B68D4
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                        • String ID: .lnk
                                                        • API String ID: 886957087-24824748
                                                        • Opcode ID: ef1f0076b6f1fa1728512b90eea5da3c0c59ce806be0e3c18a77b3603e397b96
                                                        • Instruction ID: 641398cd062d7799ccac0ee24cc61710dba344740b9bce981c8c84d01b53fdd5
                                                        • Opcode Fuzzy Hash: ef1f0076b6f1fa1728512b90eea5da3c0c59ce806be0e3c18a77b3603e397b96
                                                        • Instruction Fuzzy Hash: 8AD14B71508202AFC314DF24C8859ABBBE9FFD8308F40496DF5958B2A1DB71ED09CB92
                                                        Function 005C22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetForegroundWindow.USER32(?,?,00000000), ref: 005C22E8
                                                          • Part of subcall function 005BE4EC: GetWindowRect.USER32(?,?), ref: 005BE504
                                                        • GetDesktopWindow.USER32 ref: 005C2312
                                                        • GetWindowRect.USER32(00000000), ref: 005C2319
                                                        • mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 005C2355
                                                        • GetCursorPos.USER32(?), ref: 005C2381
                                                        • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 005C23DF
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Window$Rectmouse_event$CursorDesktopForeground
                                                        • String ID:
                                                        • API String ID: 2387181109-0
                                                        • Opcode ID: 52efbc00dc0c56cd70ac9aae2ae3731764b64acb2cb5a6d613b1438c5c48c51f
                                                        • Instruction ID: 0d9e530c65109d3934a277e2832f7ef4bd47ffc814a3c827c62dbc08befc3f05
                                                        • Opcode Fuzzy Hash: 52efbc00dc0c56cd70ac9aae2ae3731764b64acb2cb5a6d613b1438c5c48c51f
                                                        • Instruction Fuzzy Hash: 7C31BC72505356AFCB20DF54D849F9BBBA9FB84B10F000A1EF985D7181DA34EA08CB92
                                                        Function 005B9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00549CB3: _wcslen.LIBCMT ref: 00549CBD
                                                        • FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 005B9B78
                                                        • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 005B9C8B
                                                          • Part of subcall function 005B3874: GetInputState.USER32 ref: 005B38CB
                                                          • Part of subcall function 005B3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 005B3966
                                                        • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 005B9BA8
                                                        • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 005B9C75
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
                                                        • String ID: *.*
                                                        • API String ID: 1972594611-438819550
                                                        • Opcode ID: 7f309cbd912f3a2ae224e3607a10bcba010e73e834f819ddd696f9358dd4b2d6
                                                        • Instruction ID: 7ec7950a0f6be5047ce1badc4c72b2380f8891552118f711a84ad4dd8e0b6e13
                                                        • Opcode Fuzzy Hash: 7f309cbd912f3a2ae224e3607a10bcba010e73e834f819ddd696f9358dd4b2d6
                                                        • Instruction Fuzzy Hash: 5741417194520A9FDF14DFA4C989AEEBFB4FF45310F244556E505A31A1EB30AE84CF60
                                                        Function 0055997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00559BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00559BB2
                                                        • DefDlgProcW.USER32(?,?,?,?,?), ref: 00559A4E
                                                        • GetSysColor.USER32(0000000F), ref: 00559B23
                                                        • SetBkColor.GDI32(?,00000000), ref: 00559B36
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Color$LongProcWindow
                                                        • String ID:
                                                        • API String ID: 3131106179-0
                                                        • Opcode ID: 07eca51e032c54471fa48c577fdba72d439e9f42fb2bcdb3485b9e9ad015de19
                                                        • Instruction ID: 424256984b9cbd485a743683d755351e6ce63ddaf20200a1c00c352b7f49e68e
                                                        • Opcode Fuzzy Hash: 07eca51e032c54471fa48c577fdba72d439e9f42fb2bcdb3485b9e9ad015de19
                                                        • Instruction Fuzzy Hash: 46A12BB0119549EEEB349B3CCC6CDBB2E5DFBC6352F14450BF902CA691CA299D09D272
                                                        Function 005C1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 005C304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 005C307A
                                                          • Part of subcall function 005C304E: _wcslen.LIBCMT ref: 005C309B
                                                        • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 005C185D
                                                        • WSAGetLastError.WSOCK32 ref: 005C1884
                                                        • bind.WSOCK32(00000000,?,00000010), ref: 005C18DB
                                                        • WSAGetLastError.WSOCK32 ref: 005C18E6
                                                        • closesocket.WSOCK32(00000000), ref: 005C1915
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
                                                        • String ID:
                                                        • API String ID: 1601658205-0
                                                        • Opcode ID: 591c0da0fe1b829cc75ef763a61ec683f5a04433f5dcf1b52c7a0077a2275717
                                                        • Instruction ID: cfb0e607d85a98bdfa59c4775e2f233461c628a096eaa8dcd7fc7228e1272345
                                                        • Opcode Fuzzy Hash: 591c0da0fe1b829cc75ef763a61ec683f5a04433f5dcf1b52c7a0077a2275717
                                                        • Instruction Fuzzy Hash: 0951B071A00211AFDB10AF64C88AF6ABBA5BB85718F04849DF9065F3C3D771AD41CBA1
                                                        Function 005D1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                        • String ID:
                                                        • API String ID: 292994002-0
                                                        • Opcode ID: d45932a983965e32a8a650c3a91e61f64c3b675916c2ec313dc34dbd54109973
                                                        • Instruction ID: 84418727d7dcfa3f08682dee5a7a56b4d6d35599d9c5a088b80aea3c6a7781f1
                                                        • Opcode Fuzzy Hash: d45932a983965e32a8a650c3a91e61f64c3b675916c2ec313dc34dbd54109973
                                                        • Instruction Fuzzy Hash: 0321A031751A01AFD7308F2EC844B6A7FA5FF95315B18806BE8468B361DB71EC46CB98
                                                        Function 00548060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                                                        • API String ID: 0-1546025612
                                                        • Opcode ID: 08d1bb95c867db158a05c5eff3687bf957aa1020df57409397f656afb8c772f4
                                                        • Instruction ID: 06a40bdb35c6114d6e2fc4715c021768cb84f95d5404411de993192ba7cb4a4a
                                                        • Opcode Fuzzy Hash: 08d1bb95c867db158a05c5eff3687bf957aa1020df57409397f656afb8c772f4
                                                        • Instruction Fuzzy Hash: 89A25D74A0061ACBDF24DF58C8447FEBBB1BB54318F2485AAEC15A7285EB749D81CF90
                                                        Function 005A8298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • lstrlenW.KERNEL32(?,?,?,00000000), ref: 005A82AA
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: lstrlen
                                                        • String ID: ($tb`$|
                                                        • API String ID: 1659193697-2163376563
                                                        • Opcode ID: b576090ff9c57d94ba891071bf16d89e667c3dedbb43137771e056e435912979
                                                        • Instruction ID: e229bee437f6c35bbd529e46203e7930b5a703bcdb97be720933d7b1f1effc29
                                                        • Opcode Fuzzy Hash: b576090ff9c57d94ba891071bf16d89e667c3dedbb43137771e056e435912979
                                                        • Instruction Fuzzy Hash: 35322675A007059FCB28CF59C481A6ABBF0FF48710B15C96EE59ADB3A1EB70E941CB40
                                                        Function 005CA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateToolhelp32Snapshot.KERNEL32 ref: 005CA6AC
                                                        • Process32FirstW.KERNEL32(00000000,?), ref: 005CA6BA
                                                          • Part of subcall function 00549CB3: _wcslen.LIBCMT ref: 00549CBD
                                                        • Process32NextW.KERNEL32(00000000,?), ref: 005CA79C
                                                        • CloseHandle.KERNEL32(00000000), ref: 005CA7AB
                                                          • Part of subcall function 0055CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00583303,?), ref: 0055CE8A
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
                                                        • String ID:
                                                        • API String ID: 1991900642-0
                                                        • Opcode ID: aac55dca078f3e45b9b3b3202305f5d5307737da22051bb5cdbbbd0717516880
                                                        • Instruction ID: ad24fb6e81880d4955a843988b7791977ae1c4ff6ffbe81fa1f8d443b96e2b7c
                                                        • Opcode Fuzzy Hash: aac55dca078f3e45b9b3b3202305f5d5307737da22051bb5cdbbbd0717516880
                                                        • Instruction Fuzzy Hash: 4451F771508311AFD710DF64C88AAABBBE8FFC9758F00491DF58597252EB70D904CB92
                                                        Function 005AAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 005AAAAC
                                                        • SetKeyboardState.USER32(00000080), ref: 005AAAC8
                                                        • PostMessageW.USER32(?,00000102,00000001,00000001), ref: 005AAB36
                                                        • SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 005AAB88
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: KeyboardState$InputMessagePostSend
                                                        • String ID:
                                                        • API String ID: 432972143-0
                                                        • Opcode ID: 066a353e59c7a6be04c92f8f04d011e79a94a0bea1b0d75791a64a4f53c7bbb7
                                                        • Instruction ID: d573432aa6d6e874d97c2a741e24373f542ca78025dc6218e43c2783d7b3394a
                                                        • Opcode Fuzzy Hash: 066a353e59c7a6be04c92f8f04d011e79a94a0bea1b0d75791a64a4f53c7bbb7
                                                        • Instruction Fuzzy Hash: 95310530A4025CAEFF358A68CC09BFE7FAABB96310F04421BE181961D1D7758985D772
                                                        Function 005BCE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • InternetReadFile.WININET(?,?,00000400,?), ref: 005BCE89
                                                        • GetLastError.KERNEL32(?,00000000), ref: 005BCEEA
                                                        • SetEvent.KERNEL32(?,?,00000000), ref: 005BCEFE
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: ErrorEventFileInternetLastRead
                                                        • String ID:
                                                        • API String ID: 234945975-0
                                                        • Opcode ID: 78dee1962b6ad172bbaf8237dc816ec5b83284abb048bf8ccc1a70e7e56dc154
                                                        • Instruction ID: 54241163dd63bab62ccbfea8d02b4f4b50b62cc338e6d27bc80be6c8de08b438
                                                        • Opcode Fuzzy Hash: 78dee1962b6ad172bbaf8237dc816ec5b83284abb048bf8ccc1a70e7e56dc154
                                                        • Instruction Fuzzy Hash: 11218C71600306DBDB319FA5C949BA77FFCFB50354F10481EE54692151E770EA08DBA8
                                                        Function 005B5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindFirstFileW.KERNEL32(?,?), ref: 005B5CC1
                                                        • FindNextFileW.KERNEL32(00000000,?), ref: 005B5D17
                                                        • FindClose.KERNEL32(?), ref: 005B5D5F
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Find$File$CloseFirstNext
                                                        • String ID:
                                                        • API String ID: 3541575487-0
                                                        • Opcode ID: 905fb80fd35589dfc263de524afdbea57311966b1d5c736a424aac49e8ebbaa4
                                                        • Instruction ID: 49a81e0ed56946bfe71114ee235b2e84c166e62f22f6c1af63d09f9040fb5704
                                                        • Opcode Fuzzy Hash: 905fb80fd35589dfc263de524afdbea57311966b1d5c736a424aac49e8ebbaa4
                                                        • Instruction Fuzzy Hash: 2B518C746046029FC718DF28C498A96BBE4FF89314F14865EE99A8B3A1DB30FD45CF91
                                                        Function 00572622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • IsDebuggerPresent.KERNEL32 ref: 0057271A
                                                        • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00572724
                                                        • UnhandledExceptionFilter.KERNEL32(?), ref: 00572731
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                        • String ID:
                                                        • API String ID: 3906539128-0
                                                        • Opcode ID: 133d01646caed1aef42453fd3a64e50e3b55823423132865547ce55591bfee66
                                                        • Instruction ID: a1fbda53112651f95f075ff5e6d3a0b7485b16563ce08edee094bea69497a65d
                                                        • Opcode Fuzzy Hash: 133d01646caed1aef42453fd3a64e50e3b55823423132865547ce55591bfee66
                                                        • Instruction Fuzzy Hash: F131D5749112199BCB21DF68DD8879DBBB8BF18310F5042EAE80CA7260E7309F858F44
                                                        Function 005B51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetErrorMode.KERNEL32(00000001), ref: 005B51DA
                                                        • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 005B5238
                                                        • SetErrorMode.KERNEL32(00000000), ref: 005B52A1
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: ErrorMode$DiskFreeSpace
                                                        • String ID:
                                                        • API String ID: 1682464887-0
                                                        • Opcode ID: 62f25cf70692018a38024f4ad6400e441d26427b6c6fccb7384e6cd90fa0ef72
                                                        • Instruction ID: 721b4548abc49f6c5b4b6897461d87682e11516a1e251826772df716d3f5304f
                                                        • Opcode Fuzzy Hash: 62f25cf70692018a38024f4ad6400e441d26427b6c6fccb7384e6cd90fa0ef72
                                                        • Instruction Fuzzy Hash: 45313C75A005199FDB00DF54D888AEDBFB5FF49318F048099E8459B352DB31E85ACB50
                                                        Function 005A16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0055FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00560668
                                                          • Part of subcall function 0055FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00560685
                                                        • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 005A170D
                                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 005A173A
                                                        • GetLastError.KERNEL32 ref: 005A174A
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
                                                        • String ID:
                                                        • API String ID: 577356006-0
                                                        • Opcode ID: 080243eb2f12c5ef9e09d5a88345b049c5e7e5f100faa19944291d67813659f7
                                                        • Instruction ID: d532381893f857e43be78304921782ee42020c99b74cdb2d068c5ae7d88a7e06
                                                        • Opcode Fuzzy Hash: 080243eb2f12c5ef9e09d5a88345b049c5e7e5f100faa19944291d67813659f7
                                                        • Instruction Fuzzy Hash: C011CEB2400305AFD728AF54DC8AD6EBBB9FB44714B20852FE45697241EB70BC45CB24
                                                        Function 005AD5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 005AD608
                                                        • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 005AD645
                                                        • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 005AD650
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: CloseControlCreateDeviceFileHandle
                                                        • String ID:
                                                        • API String ID: 33631002-0
                                                        • Opcode ID: d27277ea7ec610100c54a8a88fcd400c000ee4e7aee47c2c5b6ebf92a4d6766e
                                                        • Instruction ID: c1fb90d1d16a1149916764f476d92233c3b787bd66888337ada201b5b8594a98
                                                        • Opcode Fuzzy Hash: d27277ea7ec610100c54a8a88fcd400c000ee4e7aee47c2c5b6ebf92a4d6766e
                                                        • Instruction Fuzzy Hash: C4117C75E05228BBDB208F949C44FAFBFBCEB45B50F108112F904E7290C2704A058BA1
                                                        Function 005A1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 005A168C
                                                        • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 005A16A1
                                                        • FreeSid.ADVAPI32(?), ref: 005A16B1
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: AllocateCheckFreeInitializeMembershipToken
                                                        • String ID:
                                                        • API String ID: 3429775523-0
                                                        • Opcode ID: 383418d413f99c94e327e749c0fa5a88dcfd9eafdb0982db40f33366f4ec6bcb
                                                        • Instruction ID: d7ed9728c1781e7a39319c2669bd94f50edf18221c4b38fa5144cd804de6fc1f
                                                        • Opcode Fuzzy Hash: 383418d413f99c94e327e749c0fa5a88dcfd9eafdb0982db40f33366f4ec6bcb
                                                        • Instruction Fuzzy Hash: 12F0F471951309FBDF00DFE49D89AAEBBBCFB08604F504566E501E2181E774AA489A54
                                                        Function 0057C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: /
                                                        • API String ID: 0-2043925204
                                                        • Opcode ID: c5f867c59702013c6ec87d1d71dba07298ad1f9eae405e144b6a1b339a798425
                                                        • Instruction ID: 39146afcbeaec01bad235c59c372a2cd70323092d54c314e2a1342d09311d77b
                                                        • Opcode Fuzzy Hash: c5f867c59702013c6ec87d1d71dba07298ad1f9eae405e144b6a1b339a798425
                                                        • Instruction Fuzzy Hash: A4412676500219AFCB209FB9EC4CDAB7FB8FB84314F10866DF909D7180E6709D419B50
                                                        Function 0059D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetUserNameW.ADVAPI32(?,?), ref: 0059D28C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: NameUser
                                                        • String ID: X64
                                                        • API String ID: 2645101109-893830106
                                                        • Opcode ID: 89be33e66b2a48b114649e5e63acc7ad4aabe106a8b5fe6f44f25383c1e3dcc0
                                                        • Instruction ID: a4c186cebdc8fabc064d6800fcea1fa87dbb56b952be46e176e9b4803c9a47fe
                                                        • Opcode Fuzzy Hash: 89be33e66b2a48b114649e5e63acc7ad4aabe106a8b5fe6f44f25383c1e3dcc0
                                                        • Instruction Fuzzy Hash: 15D0C9B580111DEACFA0CB90DC8CDDDBB7CBB14305F100552F506A2080D73495489F20
                                                        Function 0056CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                                                        • Instruction ID: 57a4378cb796f73d6b08a1558dea4023e753f2274ab3bcd9036018681fb6b210
                                                        • Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                                                        • Instruction Fuzzy Hash: 2C020A71E012199BDF14CFA9C8806ADFFB5FF88314F25816AD859EB381D731AE418B94
                                                        Function 005B68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindFirstFileW.KERNEL32(?,?), ref: 005B6918
                                                        • FindClose.KERNEL32(00000000), ref: 005B6961
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Find$CloseFileFirst
                                                        • String ID:
                                                        • API String ID: 2295610775-0
                                                        • Opcode ID: 347cf22d8d249d5e918b1dac2c8e604fe524a5687b624a9d8e6d1232246dc211
                                                        • Instruction ID: 4a285d56e1af8b7dcda31d2d6c9be079570d61b28efad8e383e607e570921d3d
                                                        • Opcode Fuzzy Hash: 347cf22d8d249d5e918b1dac2c8e604fe524a5687b624a9d8e6d1232246dc211
                                                        • Instruction Fuzzy Hash: AD1190356042119FD710DF29D488A56BFE5FF89328F14C69AE8698F3A2C734EC45CB91
                                                        Function 005B37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,005C4891,?,?,00000035,?), ref: 005B37E4
                                                        • FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,005C4891,?,?,00000035,?), ref: 005B37F4
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: ErrorFormatLastMessage
                                                        • String ID:
                                                        • API String ID: 3479602957-0
                                                        • Opcode ID: f4a34be6f820e23081e84c7f124edf58af6edbdd98b62579ab7c7cce6bba821a
                                                        • Instruction ID: 63f87782fcaf724d7cc9d3a6cda7ea06dc3c7260e17479583f7a4432708a4633
                                                        • Opcode Fuzzy Hash: f4a34be6f820e23081e84c7f124edf58af6edbdd98b62579ab7c7cce6bba821a
                                                        • Instruction Fuzzy Hash: F3F0EC706052256AD72057655C4DFDB3F5DFFC4761F000176F509E2181D9605D08C7B0
                                                        Function 005A10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,005A11FC), ref: 005A10D4
                                                        • CloseHandle.KERNEL32(?,?,005A11FC), ref: 005A10E9
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: AdjustCloseHandlePrivilegesToken
                                                        • String ID:
                                                        • API String ID: 81990902-0
                                                        • Opcode ID: 0056ff3a773d7f61afa1bd416d689a0e8117f4232f4065b5d59dee0565c3e7ef
                                                        • Instruction ID: ca5f5ea15ee5ffecd615711b74a25ceb976c9c716e7b49682d09c6efae53f42e
                                                        • Opcode Fuzzy Hash: 0056ff3a773d7f61afa1bd416d689a0e8117f4232f4065b5d59dee0565c3e7ef
                                                        • Instruction Fuzzy Hash: B3E04F32004601AFE7252B11FC0AE777FA9FB04311F10882FF8A5804B1DB626C94EB14
                                                        Function 0057676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00576766,?,?,00000008,?,?,0057FEFE,00000000), ref: 00576998
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: ExceptionRaise
                                                        • String ID:
                                                        • API String ID: 3997070919-0
                                                        • Opcode ID: 3c1f76b3e63d68373698044b56f8580a29a0d55772cdb597d7f46193ca94f663
                                                        • Instruction ID: 752a9ef12a139e39be5c96c581cfd2793af3a5bc37599428756846c8d17a1ab8
                                                        • Opcode Fuzzy Hash: 3c1f76b3e63d68373698044b56f8580a29a0d55772cdb597d7f46193ca94f663
                                                        • Instruction Fuzzy Hash: E3B13531610A09DFD719CF28D48AB657FE0FB45364F29C698E899CF2A2C335E985DB40
                                                        Function 0055B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID: 0-3916222277
                                                        • Opcode ID: 81ec1f5c5e2e8b48372d9f5f77e8d6a00a8f20680eadf17ed7154554fb210d01
                                                        • Instruction ID: 79fe4ac308bd01e2ada5b473706469974f9a01a496bfa9f5fdb38ffd6cd42e4f
                                                        • Opcode Fuzzy Hash: 81ec1f5c5e2e8b48372d9f5f77e8d6a00a8f20680eadf17ed7154554fb210d01
                                                        • Instruction Fuzzy Hash: 66126D71900229DFDF24CF58C894AFEBBB5FF48310F14859AE849EB251DB309A85CB90
                                                        Function 005BEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • BlockInput.USER32(00000001), ref: 005BEABD
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: BlockInput
                                                        • String ID:
                                                        • API String ID: 3456056419-0
                                                        • Opcode ID: a741586edc9eb2ee4f09842d41eba4e85845b2d06d5a150b05c832a33ff18dda
                                                        • Instruction ID: 909da72f46365cbbce93fe30119db01fd2bb105c35494bbcc17e15289e88383d
                                                        • Opcode Fuzzy Hash: a741586edc9eb2ee4f09842d41eba4e85845b2d06d5a150b05c832a33ff18dda
                                                        • Instruction Fuzzy Hash: 7FE0E531200205AFD710EB69D809ADABBEDBB98764F048416FC49C7291DA70E8448B90
                                                        Function 005609D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,005603EE), ref: 005609DA
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: ExceptionFilterUnhandled
                                                        • String ID:
                                                        • API String ID: 3192549508-0
                                                        • Opcode ID: 6476638bdb8c4f05b45303fbdcb6ef27cc93afea669c2a7d209ceeb14b3a364d
                                                        • Instruction ID: 4f8bd9e305aacdb935590409c432cf036a79b85b8723e0a61353f68fde313eda
                                                        • Opcode Fuzzy Hash: 6476638bdb8c4f05b45303fbdcb6ef27cc93afea669c2a7d209ceeb14b3a364d
                                                        • Instruction Fuzzy Hash:
                                                        Function 0056781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 0
                                                        • API String ID: 0-4108050209
                                                        • Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                                                        • Instruction ID: 3e3788561f2d5ecbf988124a0907695ce07f9b73dd1818d2ec727189ece5e0cb
                                                        • Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                                                        • Instruction Fuzzy Hash: 2851577160C70E5BDB388578885D7BE6FD5BB5E34CF180A09D882D7382CA15EE41D356
                                                        Function 005B2046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 0&a
                                                        • API String ID: 0-574746216
                                                        • Opcode ID: dd17779ae0202697797c10a8a4f449bafda6665526bc660813f1ba9e7fd017e8
                                                        • Instruction ID: 2c764348218bb28f4513b79bd8fc07d7f9c4840eb472a1d10c502a5ba9f81aab
                                                        • Opcode Fuzzy Hash: dd17779ae0202697797c10a8a4f449bafda6665526bc660813f1ba9e7fd017e8
                                                        • Instruction Fuzzy Hash: 3921E7322206158BDB28CF79C8276BE77E5B754310F188A2EE4A7C33D0DE35A904CB90
                                                        Function 00576DD9 Relevance: .6, Instructions: 637COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0c29f3f7fd15be22e862f57f3c8cf2d5480908f6d671d193211d0e91bf730351
                                                        • Instruction ID: 57abc3954a167d370d41d8551e0def91a1c19df4e95e54b078323885208c5ba8
                                                        • Opcode Fuzzy Hash: 0c29f3f7fd15be22e862f57f3c8cf2d5480908f6d671d193211d0e91bf730351
                                                        • Instruction Fuzzy Hash: 58324721D28F454DD7279634EC623356A8DBFBB3C5F15C737E81AB59AAEB28C4836100
                                                        Function 0055CC39 Relevance: .6, Instructions: 635COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ea469424d2c4fe80130cc9f25a1fccda6462271566afbf07861751e34a325486
                                                        • Instruction ID: 9b135ca1c57973f1e579d7ed3ca2fac7f1adbdcb0f0ee74df12298a3ba1e74b0
                                                        • Opcode Fuzzy Hash: ea469424d2c4fe80130cc9f25a1fccda6462271566afbf07861751e34a325486
                                                        • Instruction Fuzzy Hash: C3321332A002558FDF28CF29C4A46BD7FA2FB45305F28856BD86A9B792D334DD85DB40
                                                        Function 00547920 Relevance: .6, Instructions: 563COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 39c4d6913ad4afc28fcc6ae0821d346fb6ee563d25a5c32753bdf497442c41bf
                                                        • Instruction ID: 29f02e5dc4522ee8c630d7e40b2fb727dadb9b11bb02748611fee9586e64edc4
                                                        • Opcode Fuzzy Hash: 39c4d6913ad4afc28fcc6ae0821d346fb6ee563d25a5c32753bdf497442c41bf
                                                        • Instruction Fuzzy Hash: 1422AFB0A0460ADFDF14DF65C885AEEBBB6FF48304F144529E816A7291FB36AD14CB50
                                                        Function 005491C0 Relevance: .5, Instructions: 475COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 3dbd00cf539cc1cd12d76b2169e1b2376f2fe822c0441050ff62dd987d461d35
                                                        • Instruction ID: 4c83241c980f9bc239baf434414f5ca7c1b0d1c94ae157d615d5bc64b7a1b26f
                                                        • Opcode Fuzzy Hash: 3dbd00cf539cc1cd12d76b2169e1b2376f2fe822c0441050ff62dd987d461d35
                                                        • Instruction Fuzzy Hash: 7B02A8B1E00116EFDB04EF54D886AAEBFB5FF44304F108569E816AB291E731AE15CB91
                                                        Function 00579EEE Relevance: .3, Instructions: 294COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 76c89c287ac3078325976377a863e6b3686b511d45bccfef5d26ffb72cac9cc1
                                                        • Instruction ID: ad7960ce2e7c5a45ccbaf68b662915c3ec50592b9026c977a2a73ce949cfb173
                                                        • Opcode Fuzzy Hash: 76c89c287ac3078325976377a863e6b3686b511d45bccfef5d26ffb72cac9cc1
                                                        • Instruction Fuzzy Hash: 27B13620D2AF804DD32396398875336BA4C7FBB2C5F91DB1BFC6639D22EB2185879140
                                                        Function 00567A4A Relevance: .2, Instructions: 237COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 530103d205c52f49b662606af05972505441e7c810223b6a6795927d60bf5091
                                                        • Instruction ID: a05cf4f18884b437e11c64c72b5a5f85b5daf5ce3b2c1653392598131c9e340a
                                                        • Opcode Fuzzy Hash: 530103d205c52f49b662606af05972505441e7c810223b6a6795927d60bf5091
                                                        • Instruction Fuzzy Hash: 65616C7120870E56DE349A688D95BBE6F94FF8D70CF140E19E843DB2A1ED119E42C355
                                                        Function 00567CA7 Relevance: .2, Instructions: 237COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6fe35e9081636abed1c88996a46013d0bfce9c5ce09a2a1a845a6ff7644adc52
                                                        • Instruction ID: 935e8488d19dc92ed777852dc02fc20415bbe83b8d23b0137cdebcda04d14719
                                                        • Opcode Fuzzy Hash: 6fe35e9081636abed1c88996a46013d0bfce9c5ce09a2a1a845a6ff7644adc52
                                                        • Instruction Fuzzy Hash: CB617B7160870E56DF388A388855BBF2FA8FF9E70CF140E59E943DB281EA129D458355
                                                        Function 005C2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • DeleteObject.GDI32(00000000), ref: 005C2B30
                                                        • DeleteObject.GDI32(00000000), ref: 005C2B43
                                                        • DestroyWindow.USER32 ref: 005C2B52
                                                        • GetDesktopWindow.USER32 ref: 005C2B6D
                                                        • GetWindowRect.USER32(00000000), ref: 005C2B74
                                                        • SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 005C2CA3
                                                        • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 005C2CB1
                                                        • CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005C2CF8
                                                        • GetClientRect.USER32(00000000,?), ref: 005C2D04
                                                        • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 005C2D40
                                                        • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005C2D62
                                                        • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005C2D75
                                                        • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005C2D80
                                                        • GlobalLock.KERNEL32(00000000), ref: 005C2D89
                                                        • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005C2D98
                                                        • GlobalUnlock.KERNEL32(00000000), ref: 005C2DA1
                                                        • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005C2DA8
                                                        • GlobalFree.KERNEL32(00000000), ref: 005C2DB3
                                                        • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005C2DC5
                                                        • OleLoadPicture.OLEAUT32(?,00000000,00000000,005DFC38,00000000), ref: 005C2DDB
                                                        • GlobalFree.KERNEL32(00000000), ref: 005C2DEB
                                                        • CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 005C2E11
                                                        • SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 005C2E30
                                                        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005C2E52
                                                        • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005C303F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                        • String ID: $AutoIt v3$DISPLAY$static
                                                        • API String ID: 2211948467-2373415609
                                                        • Opcode ID: 1220674037e08303856527bbbdbff4e914d34cdca4741b62b801d42f91acca4f
                                                        • Instruction ID: b41a2c8e96db2e07899cbe2841e07523fdae7713f26ac4525a95c602e6b4d24f
                                                        • Opcode Fuzzy Hash: 1220674037e08303856527bbbdbff4e914d34cdca4741b62b801d42f91acca4f
                                                        • Instruction Fuzzy Hash: CD028D7190021AAFDB14DFA4CC89EAE7FB9FB49314F04851AF915AB2A1D730ED04DB60
                                                        Function 005D70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetTextColor.GDI32(?,00000000), ref: 005D712F
                                                        • GetSysColorBrush.USER32(0000000F), ref: 005D7160
                                                        • GetSysColor.USER32(0000000F), ref: 005D716C
                                                        • SetBkColor.GDI32(?,000000FF), ref: 005D7186
                                                        • SelectObject.GDI32(?,?), ref: 005D7195
                                                        • InflateRect.USER32(?,000000FF,000000FF), ref: 005D71C0
                                                        • GetSysColor.USER32(00000010), ref: 005D71C8
                                                        • CreateSolidBrush.GDI32(00000000), ref: 005D71CF
                                                        • FrameRect.USER32(?,?,00000000), ref: 005D71DE
                                                        • DeleteObject.GDI32(00000000), ref: 005D71E5
                                                        • InflateRect.USER32(?,000000FE,000000FE), ref: 005D7230
                                                        • FillRect.USER32(?,?,?), ref: 005D7262
                                                        • GetWindowLongW.USER32(?,000000F0), ref: 005D7284
                                                          • Part of subcall function 005D73E8: GetSysColor.USER32(00000012), ref: 005D7421
                                                          • Part of subcall function 005D73E8: SetTextColor.GDI32(?,?), ref: 005D7425
                                                          • Part of subcall function 005D73E8: GetSysColorBrush.USER32(0000000F), ref: 005D743B
                                                          • Part of subcall function 005D73E8: GetSysColor.USER32(0000000F), ref: 005D7446
                                                          • Part of subcall function 005D73E8: GetSysColor.USER32(00000011), ref: 005D7463
                                                          • Part of subcall function 005D73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 005D7471
                                                          • Part of subcall function 005D73E8: SelectObject.GDI32(?,00000000), ref: 005D7482
                                                          • Part of subcall function 005D73E8: SetBkColor.GDI32(?,00000000), ref: 005D748B
                                                          • Part of subcall function 005D73E8: SelectObject.GDI32(?,?), ref: 005D7498
                                                          • Part of subcall function 005D73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 005D74B7
                                                          • Part of subcall function 005D73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 005D74CE
                                                          • Part of subcall function 005D73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 005D74DB
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                                        • String ID:
                                                        • API String ID: 4124339563-0
                                                        • Opcode ID: 771b429e6756173b3219912789951f746c952ea17d95fa5cd772a0f2e003f14c
                                                        • Instruction ID: ae6eb41f2e491d9d03aca58235420094a2e4e861af9868a94ce459628e3b2804
                                                        • Opcode Fuzzy Hash: 771b429e6756173b3219912789951f746c952ea17d95fa5cd772a0f2e003f14c
                                                        • Instruction Fuzzy Hash: BCA1A272009316AFDB209F64DC48E5BBFA9FB59321F100B1BF962961E1E730E948DB51
                                                        Function 005C2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • DestroyWindow.USER32(00000000), ref: 005C273E
                                                        • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 005C286A
                                                        • SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 005C28A9
                                                        • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 005C28B9
                                                        • CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 005C2900
                                                        • GetClientRect.USER32(00000000,?), ref: 005C290C
                                                        • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 005C2955
                                                        • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 005C2964
                                                        • GetStockObject.GDI32(00000011), ref: 005C2974
                                                        • SelectObject.GDI32(00000000,00000000), ref: 005C2978
                                                        • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 005C2988
                                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 005C2991
                                                        • DeleteDC.GDI32(00000000), ref: 005C299A
                                                        • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 005C29C6
                                                        • SendMessageW.USER32(00000030,00000000,00000001), ref: 005C29DD
                                                        • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 005C2A1D
                                                        • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 005C2A31
                                                        • SendMessageW.USER32(00000404,00000001,00000000), ref: 005C2A42
                                                        • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 005C2A77
                                                        • GetStockObject.GDI32(00000011), ref: 005C2A82
                                                        • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 005C2A8D
                                                        • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 005C2A97
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                        • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                        • API String ID: 2910397461-517079104
                                                        • Opcode ID: 79b52a3c38f8805527b7d2761be5fda4993c4a440fa97505de7ea03e7703a287
                                                        • Instruction ID: 96fd05a6ad414bd5207f3528abd8662bc70e4a1522f0fbd0d3205be6a5d59da3
                                                        • Opcode Fuzzy Hash: 79b52a3c38f8805527b7d2761be5fda4993c4a440fa97505de7ea03e7703a287
                                                        • Instruction Fuzzy Hash: 9CB15071A40216AFEB14DFA8CC49FAE7BA9FB49714F00851AFA15EB290D774ED40CB50
                                                        Function 005B4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetErrorMode.KERNEL32(00000001), ref: 005B4AED
                                                        • GetDriveTypeW.KERNEL32(?,005DCB68,?,\\.\,005DCC08), ref: 005B4BCA
                                                        • SetErrorMode.KERNEL32(00000000,005DCB68,?,\\.\,005DCC08), ref: 005B4D36
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: ErrorMode$DriveType
                                                        • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                        • API String ID: 2907320926-4222207086
                                                        • Opcode ID: 4450c403437fd19b56b7147be8e275dd78da5e965d941ddb39c3c072912e1669
                                                        • Instruction ID: 2a722ff44ca7bc6ed14d5c9c28aa3a7c4919ae262b138d70b7b705f6c1401508
                                                        • Opcode Fuzzy Hash: 4450c403437fd19b56b7147be8e275dd78da5e965d941ddb39c3c072912e1669
                                                        • Instruction Fuzzy Hash: CA619F306855069BCB28DF24C9869FE7FA1BF44B04B204816F806AB6D3DB21FD55DF51
                                                        Function 005D73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetSysColor.USER32(00000012), ref: 005D7421
                                                        • SetTextColor.GDI32(?,?), ref: 005D7425
                                                        • GetSysColorBrush.USER32(0000000F), ref: 005D743B
                                                        • GetSysColor.USER32(0000000F), ref: 005D7446
                                                        • CreateSolidBrush.GDI32(?), ref: 005D744B
                                                        • GetSysColor.USER32(00000011), ref: 005D7463
                                                        • CreatePen.GDI32(00000000,00000001,00743C00), ref: 005D7471
                                                        • SelectObject.GDI32(?,00000000), ref: 005D7482
                                                        • SetBkColor.GDI32(?,00000000), ref: 005D748B
                                                        • SelectObject.GDI32(?,?), ref: 005D7498
                                                        • InflateRect.USER32(?,000000FF,000000FF), ref: 005D74B7
                                                        • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 005D74CE
                                                        • GetWindowLongW.USER32(00000000,000000F0), ref: 005D74DB
                                                        • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 005D752A
                                                        • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 005D7554
                                                        • InflateRect.USER32(?,000000FD,000000FD), ref: 005D7572
                                                        • DrawFocusRect.USER32(?,?), ref: 005D757D
                                                        • GetSysColor.USER32(00000011), ref: 005D758E
                                                        • SetTextColor.GDI32(?,00000000), ref: 005D7596
                                                        • DrawTextW.USER32(?,005D70F5,000000FF,?,00000000), ref: 005D75A8
                                                        • SelectObject.GDI32(?,?), ref: 005D75BF
                                                        • DeleteObject.GDI32(?), ref: 005D75CA
                                                        • SelectObject.GDI32(?,?), ref: 005D75D0
                                                        • DeleteObject.GDI32(?), ref: 005D75D5
                                                        • SetTextColor.GDI32(?,?), ref: 005D75DB
                                                        • SetBkColor.GDI32(?,?), ref: 005D75E5
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                        • String ID:
                                                        • API String ID: 1996641542-0
                                                        • Opcode ID: 8e1f9b0ad13208c35d627b5a0723a1a5c05ab0d4b0e22b82c23fc108e10db7ae
                                                        • Instruction ID: fd9e606536813ae1dd31b486cb44e78ed545fa90ab6dc65fca3eb2f3b4d369a3
                                                        • Opcode Fuzzy Hash: 8e1f9b0ad13208c35d627b5a0723a1a5c05ab0d4b0e22b82c23fc108e10db7ae
                                                        • Instruction Fuzzy Hash: 1D616172901219AFDF219FA8DC49EEEBF79FB08320F104117F915AB2A1D7709940DB90
                                                        Function 005D0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetCursorPos.USER32(?), ref: 005D1128
                                                        • GetDesktopWindow.USER32 ref: 005D113D
                                                        • GetWindowRect.USER32(00000000), ref: 005D1144
                                                        • GetWindowLongW.USER32(?,000000F0), ref: 005D1199
                                                        • DestroyWindow.USER32(?), ref: 005D11B9
                                                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 005D11ED
                                                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 005D120B
                                                        • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 005D121D
                                                        • SendMessageW.USER32(00000000,00000421,?,?), ref: 005D1232
                                                        • SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 005D1245
                                                        • IsWindowVisible.USER32(00000000), ref: 005D12A1
                                                        • SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 005D12BC
                                                        • SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 005D12D0
                                                        • GetWindowRect.USER32(00000000,?), ref: 005D12E8
                                                        • MonitorFromPoint.USER32(?,?,00000002), ref: 005D130E
                                                        • GetMonitorInfoW.USER32(00000000,?), ref: 005D1328
                                                        • CopyRect.USER32(?,?), ref: 005D133F
                                                        • SendMessageW.USER32(00000000,00000412,00000000), ref: 005D13AA
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                        • String ID: ($0$tooltips_class32
                                                        • API String ID: 698492251-4156429822
                                                        • Opcode ID: fb991c3701811ede808c6821fdfab8ec6de4326beb114ccd31e5d82f168fc22d
                                                        • Instruction ID: 7a6d71cd3acf0d92714c5ba45e3b542188f9d7aa1ff1cb975056ec1db1636552
                                                        • Opcode Fuzzy Hash: fb991c3701811ede808c6821fdfab8ec6de4326beb114ccd31e5d82f168fc22d
                                                        • Instruction Fuzzy Hash: 5EB19E71608741AFD720DF68C889BABBFE4FF84344F00891AF9999B261D731E844CB95
                                                        Function 005D0241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CharUpperBuffW.USER32(?,?), ref: 005D02E5
                                                        • _wcslen.LIBCMT ref: 005D031F
                                                        • _wcslen.LIBCMT ref: 005D0389
                                                        • _wcslen.LIBCMT ref: 005D03F1
                                                        • _wcslen.LIBCMT ref: 005D0475
                                                        • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 005D04C5
                                                        • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 005D0504
                                                          • Part of subcall function 0055F9F2: _wcslen.LIBCMT ref: 0055F9FD
                                                          • Part of subcall function 005A223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 005A2258
                                                          • Part of subcall function 005A223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 005A228A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: _wcslen$MessageSend$BuffCharUpper
                                                        • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                        • API String ID: 1103490817-719923060
                                                        • Opcode ID: 9dadf9a520a3d6a5f2d6b79829b661a0439a36cdc798b60b376c5d6117811119
                                                        • Instruction ID: 69eb08e503eba69dc5f01f9a058ee6f3ccd58e8ecceef804a91d3abae9125da1
                                                        • Opcode Fuzzy Hash: 9dadf9a520a3d6a5f2d6b79829b661a0439a36cdc798b60b376c5d6117811119
                                                        • Instruction Fuzzy Hash: E5E18D316082029FCB24DF28C455A6ABBE6BFC8318F14595EF8969B3E1DB30ED45CB51
                                                        Function 00558891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00558968
                                                        • GetSystemMetrics.USER32(00000007), ref: 00558970
                                                        • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0055899B
                                                        • GetSystemMetrics.USER32(00000008), ref: 005589A3
                                                        • GetSystemMetrics.USER32(00000004), ref: 005589C8
                                                        • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 005589E5
                                                        • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 005589F5
                                                        • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00558A28
                                                        • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00558A3C
                                                        • GetClientRect.USER32(00000000,000000FF), ref: 00558A5A
                                                        • GetStockObject.GDI32(00000011), ref: 00558A76
                                                        • SendMessageW.USER32(00000000,00000030,00000000), ref: 00558A81
                                                          • Part of subcall function 0055912D: GetCursorPos.USER32(?), ref: 00559141
                                                          • Part of subcall function 0055912D: ScreenToClient.USER32(00000000,?), ref: 0055915E
                                                          • Part of subcall function 0055912D: GetAsyncKeyState.USER32(00000001), ref: 00559183
                                                          • Part of subcall function 0055912D: GetAsyncKeyState.USER32(00000002), ref: 0055919D
                                                        • SetTimer.USER32(00000000,00000000,00000028,005590FC), ref: 00558AA8
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                        • String ID: AutoIt v3 GUI
                                                        • API String ID: 1458621304-248962490
                                                        • Opcode ID: 6829dd348465fc9d4eca4b8e062afae1c6301f2c30e90ff90d2f469bb0170cf5
                                                        • Instruction ID: 37e4f8d82804f4330b709bd98c01e18ed9de1cea1e42f0677afaa4391372ec48
                                                        • Opcode Fuzzy Hash: 6829dd348465fc9d4eca4b8e062afae1c6301f2c30e90ff90d2f469bb0170cf5
                                                        • Instruction Fuzzy Hash: 4FB16B31A0020A9FDF14DFA8D859BEE3FB5FB48315F14462AFA15AB290DB34E845CB50
                                                        Function 005A0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 005A10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 005A1114
                                                          • Part of subcall function 005A10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,005A0B9B,?,?,?), ref: 005A1120
                                                          • Part of subcall function 005A10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,005A0B9B,?,?,?), ref: 005A112F
                                                          • Part of subcall function 005A10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,005A0B9B,?,?,?), ref: 005A1136
                                                          • Part of subcall function 005A10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 005A114D
                                                        • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 005A0DF5
                                                        • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 005A0E29
                                                        • GetLengthSid.ADVAPI32(?), ref: 005A0E40
                                                        • GetAce.ADVAPI32(?,00000000,?), ref: 005A0E7A
                                                        • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 005A0E96
                                                        • GetLengthSid.ADVAPI32(?), ref: 005A0EAD
                                                        • GetProcessHeap.KERNEL32(00000008,00000008), ref: 005A0EB5
                                                        • HeapAlloc.KERNEL32(00000000), ref: 005A0EBC
                                                        • GetLengthSid.ADVAPI32(?,00000008,?), ref: 005A0EDD
                                                        • CopySid.ADVAPI32(00000000), ref: 005A0EE4
                                                        • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 005A0F13
                                                        • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 005A0F35
                                                        • SetUserObjectSecurity.USER32(?,00000004,?), ref: 005A0F47
                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 005A0F6E
                                                        • HeapFree.KERNEL32(00000000), ref: 005A0F75
                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 005A0F7E
                                                        • HeapFree.KERNEL32(00000000), ref: 005A0F85
                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 005A0F8E
                                                        • HeapFree.KERNEL32(00000000), ref: 005A0F95
                                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 005A0FA1
                                                        • HeapFree.KERNEL32(00000000), ref: 005A0FA8
                                                          • Part of subcall function 005A1193: GetProcessHeap.KERNEL32(00000008,005A0BB1,?,00000000,?,005A0BB1,?), ref: 005A11A1
                                                          • Part of subcall function 005A1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,005A0BB1,?), ref: 005A11A8
                                                          • Part of subcall function 005A1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,005A0BB1,?), ref: 005A11B7
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                        • String ID:
                                                        • API String ID: 4175595110-0
                                                        • Opcode ID: 6e6c128cf4953d177d43eed2bb27340cb017808f12ad855da1e690f2db39da36
                                                        • Instruction ID: ac1543e9fbc5641c591e3423061bc6b3a59a06d5a71581d0a4b3607537f4028c
                                                        • Opcode Fuzzy Hash: 6e6c128cf4953d177d43eed2bb27340cb017808f12ad855da1e690f2db39da36
                                                        • Instruction Fuzzy Hash: 94715C7290121AEFDF209FA4DC88BAEBFB8BF15311F144116F919B6191D731A909DB60
                                                        Function 005CC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 005CC4BD
                                                        • RegCreateKeyExW.ADVAPI32(?,?,00000000,005DCC08,00000000,?,00000000,?,?), ref: 005CC544
                                                        • RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 005CC5A4
                                                        • _wcslen.LIBCMT ref: 005CC5F4
                                                        • _wcslen.LIBCMT ref: 005CC66F
                                                        • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 005CC6B2
                                                        • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 005CC7C1
                                                        • RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 005CC84D
                                                        • RegCloseKey.ADVAPI32(?), ref: 005CC881
                                                        • RegCloseKey.ADVAPI32(00000000), ref: 005CC88E
                                                        • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 005CC960
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Value$Close$_wcslen$ConnectCreateRegistry
                                                        • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                        • API String ID: 9721498-966354055
                                                        • Opcode ID: b0f351a5514806862c9620aa55144fec7fe1fdb8ed4ab5a98c3085dba5071fa2
                                                        • Instruction ID: 10b55d5676eac83a2a25ca2f7cb810b66c9ec50ef4533d526f7a6daa6b376614
                                                        • Opcode Fuzzy Hash: b0f351a5514806862c9620aa55144fec7fe1fdb8ed4ab5a98c3085dba5071fa2
                                                        • Instruction Fuzzy Hash: 941235356042029FDB14DF54C895F6ABBE5FF88718F04885DF88A9B2A2DB31ED45CB81
                                                        Function 005D091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CharUpperBuffW.USER32(?,?), ref: 005D09C6
                                                        • _wcslen.LIBCMT ref: 005D0A01
                                                        • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 005D0A54
                                                        • _wcslen.LIBCMT ref: 005D0A8A
                                                        • _wcslen.LIBCMT ref: 005D0B06
                                                        • _wcslen.LIBCMT ref: 005D0B81
                                                          • Part of subcall function 0055F9F2: _wcslen.LIBCMT ref: 0055F9FD
                                                          • Part of subcall function 005A2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 005A2BFA
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: _wcslen$MessageSend$BuffCharUpper
                                                        • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                        • API String ID: 1103490817-4258414348
                                                        • Opcode ID: 35451c964946e9023089b8887dd963596a2dd69e5254808a74b93fe000818769
                                                        • Instruction ID: 67df5888b63d8a9b66043a7cda3f9c2035671a3b610eb332995aee4155837961
                                                        • Opcode Fuzzy Hash: 35451c964946e9023089b8887dd963596a2dd69e5254808a74b93fe000818769
                                                        • Instruction Fuzzy Hash: D1E16A316087129FC724DF28C451A6ABBE2BFD8318F14495EF8969B3A2D731ED45CB81
                                                        Function 005CC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: _wcslen$BuffCharUpper
                                                        • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                        • API String ID: 1256254125-909552448
                                                        • Opcode ID: ef2e6edbfb4236926879230686f3cbe292840e54c79e970d9590e20c7b976d8c
                                                        • Instruction ID: 38637bb0624aed894953e954cac70f28d61176656f49d586e93f1eeb01a62d5e
                                                        • Opcode Fuzzy Hash: ef2e6edbfb4236926879230686f3cbe292840e54c79e970d9590e20c7b976d8c
                                                        • Instruction Fuzzy Hash: 9771E532A4052B8FCB10DEF88C55FBB3FA1BBA0754B55052DF86A97284E631DD85C3A0
                                                        Function 005D833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _wcslen.LIBCMT ref: 005D835A
                                                        • _wcslen.LIBCMT ref: 005D836E
                                                        • _wcslen.LIBCMT ref: 005D8391
                                                        • _wcslen.LIBCMT ref: 005D83B4
                                                        • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 005D83F2
                                                        • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,005D5BF2), ref: 005D844E
                                                        • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 005D8487
                                                        • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 005D84CA
                                                        • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 005D8501
                                                        • FreeLibrary.KERNEL32(?), ref: 005D850D
                                                        • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 005D851D
                                                        • DestroyIcon.USER32(?,?,?,?,?,005D5BF2), ref: 005D852C
                                                        • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 005D8549
                                                        • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 005D8555
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
                                                        • String ID: .dll$.exe$.icl
                                                        • API String ID: 799131459-1154884017
                                                        • Opcode ID: 766fb57092172b5c3bf0f1892d38e4a728a3da963eca74c5d732faf35da937fb
                                                        • Instruction ID: b37e4c54908025ef0e698025d3b648b4cee8d626183344beedc8d7f71a07053b
                                                        • Opcode Fuzzy Hash: 766fb57092172b5c3bf0f1892d38e4a728a3da963eca74c5d732faf35da937fb
                                                        • Instruction Fuzzy Hash: 6661D171540216BAEB24DF68DC45BBF7FA8BB44711F10460BF815DA2D1DB74A980DBA0
                                                        Function 00547778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                        • API String ID: 0-1645009161
                                                        • Opcode ID: 374148fb0df6f4f9a73b4f29232ed330b04dd49c5eb5b2da4b8922a3f03ac2bd
                                                        • Instruction ID: 8aa01fa884435260697d8f8a28215194524a85421ffec4b79a75897b0c8ea9b3
                                                        • Opcode Fuzzy Hash: 374148fb0df6f4f9a73b4f29232ed330b04dd49c5eb5b2da4b8922a3f03ac2bd
                                                        • Instruction Fuzzy Hash: 8281F671A4060AABDB20AF64CC4AFEE3F68FF99304F004425FD05AB192EB71D915C791
                                                        Function 005B3E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CharLowerBuffW.USER32(?,?), ref: 005B3EF8
                                                        • _wcslen.LIBCMT ref: 005B3F03
                                                        • _wcslen.LIBCMT ref: 005B3F5A
                                                        • _wcslen.LIBCMT ref: 005B3F98
                                                        • GetDriveTypeW.KERNEL32(?), ref: 005B3FD6
                                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 005B401E
                                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 005B4059
                                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 005B4087
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: SendString_wcslen$BuffCharDriveLowerType
                                                        • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                        • API String ID: 1839972693-4113822522
                                                        • Opcode ID: 92a4658f0c121e99a125d2a6f46e4a0dc1b09dc24b70282c8307da671c83adef
                                                        • Instruction ID: 1d65e730a350515cd343f235bb8939070c59b5e20a77efe8b4db32437b4f7e7c
                                                        • Opcode Fuzzy Hash: 92a4658f0c121e99a125d2a6f46e4a0dc1b09dc24b70282c8307da671c83adef
                                                        • Instruction Fuzzy Hash: 9671CE72A042129FC310EF24C8858ABBBF5FF94758F10492DF995972A1EB31ED49CB91
                                                        Function 005A5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadIconW.USER32(00000063), ref: 005A5A2E
                                                        • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 005A5A40
                                                        • SetWindowTextW.USER32(?,?), ref: 005A5A57
                                                        • GetDlgItem.USER32(?,000003EA), ref: 005A5A6C
                                                        • SetWindowTextW.USER32(00000000,?), ref: 005A5A72
                                                        • GetDlgItem.USER32(?,000003E9), ref: 005A5A82
                                                        • SetWindowTextW.USER32(00000000,?), ref: 005A5A88
                                                        • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 005A5AA9
                                                        • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 005A5AC3
                                                        • GetWindowRect.USER32(?,?), ref: 005A5ACC
                                                        • _wcslen.LIBCMT ref: 005A5B33
                                                        • SetWindowTextW.USER32(?,?), ref: 005A5B6F
                                                        • GetDesktopWindow.USER32 ref: 005A5B75
                                                        • GetWindowRect.USER32(00000000), ref: 005A5B7C
                                                        • MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 005A5BD3
                                                        • GetClientRect.USER32(?,?), ref: 005A5BE0
                                                        • PostMessageW.USER32(?,00000005,00000000,?), ref: 005A5C05
                                                        • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 005A5C2F
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
                                                        • String ID:
                                                        • API String ID: 895679908-0
                                                        • Opcode ID: c24e4d4eb32c1ce59e468859babdc82c1ac2630b98c44fdc9904fe6070e7a6d4
                                                        • Instruction ID: e4e785785db55918a902a2a367b01702f65a460fa99cf54f4eff9d46458a6510
                                                        • Opcode Fuzzy Hash: c24e4d4eb32c1ce59e468859babdc82c1ac2630b98c44fdc9904fe6070e7a6d4
                                                        • Instruction Fuzzy Hash: 4E717E31A00B0AAFDB20DFA8CD45E6EBFF5FF48705F104919E142A65A0E774E944DB20
                                                        Function 005BFE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadCursorW.USER32(00000000,00007F89), ref: 005BFE27
                                                        • LoadCursorW.USER32(00000000,00007F8A), ref: 005BFE32
                                                        • LoadCursorW.USER32(00000000,00007F00), ref: 005BFE3D
                                                        • LoadCursorW.USER32(00000000,00007F03), ref: 005BFE48
                                                        • LoadCursorW.USER32(00000000,00007F8B), ref: 005BFE53
                                                        • LoadCursorW.USER32(00000000,00007F01), ref: 005BFE5E
                                                        • LoadCursorW.USER32(00000000,00007F81), ref: 005BFE69
                                                        • LoadCursorW.USER32(00000000,00007F88), ref: 005BFE74
                                                        • LoadCursorW.USER32(00000000,00007F80), ref: 005BFE7F
                                                        • LoadCursorW.USER32(00000000,00007F86), ref: 005BFE8A
                                                        • LoadCursorW.USER32(00000000,00007F83), ref: 005BFE95
                                                        • LoadCursorW.USER32(00000000,00007F85), ref: 005BFEA0
                                                        • LoadCursorW.USER32(00000000,00007F82), ref: 005BFEAB
                                                        • LoadCursorW.USER32(00000000,00007F84), ref: 005BFEB6
                                                        • LoadCursorW.USER32(00000000,00007F04), ref: 005BFEC1
                                                        • LoadCursorW.USER32(00000000,00007F02), ref: 005BFECC
                                                        • GetCursorInfo.USER32(?), ref: 005BFEDC
                                                        • GetLastError.KERNEL32 ref: 005BFF1E
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Cursor$Load$ErrorInfoLast
                                                        • String ID:
                                                        • API String ID: 3215588206-0
                                                        • Opcode ID: 446a8972d73dbfd254ef7e5dc715a059777eb9346b883b8454566c4f67f13abc
                                                        • Instruction ID: 5e5ee959786f46680d5e72ac1dd9aeae7d0069a00e23691ccb39920242f79357
                                                        • Opcode Fuzzy Hash: 446a8972d73dbfd254ef7e5dc715a059777eb9346b883b8454566c4f67f13abc
                                                        • Instruction Fuzzy Hash: D74124B0D053196ADB109FBA8C898AEBFE8FF44754B50452AE11DE7281DB78E901CF91
                                                        Function 005A30F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: _wcslen
                                                        • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[`
                                                        • API String ID: 176396367-2911647270
                                                        • Opcode ID: f2a1ecd8286a038bff200bd5af760ffb2cafcb877e476057c4f5400ba55d347e
                                                        • Instruction ID: 82eafe5bf44f613fcee1d77980d9900573a9032b176427560164f275b5175591
                                                        • Opcode Fuzzy Hash: f2a1ecd8286a038bff200bd5af760ffb2cafcb877e476057c4f5400ba55d347e
                                                        • Instruction Fuzzy Hash: 18E1E332A00516ABCF18DFA8C4557EEFFB1BF5A718F14851AF456A7240DB30AE85CB90
                                                        Function 005600C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 005600C6
                                                          • Part of subcall function 005600ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0061070C,00000FA0,ED460C8A,?,?,?,?,005823B3,000000FF), ref: 0056011C
                                                          • Part of subcall function 005600ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,005823B3,000000FF), ref: 00560127
                                                          • Part of subcall function 005600ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,005823B3,000000FF), ref: 00560138
                                                          • Part of subcall function 005600ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0056014E
                                                          • Part of subcall function 005600ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0056015C
                                                          • Part of subcall function 005600ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0056016A
                                                          • Part of subcall function 005600ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00560195
                                                          • Part of subcall function 005600ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 005601A0
                                                        • ___scrt_fastfail.LIBCMT ref: 005600E7
                                                          • Part of subcall function 005600A3: __onexit.LIBCMT ref: 005600A9
                                                        Strings
                                                        • InitializeConditionVariable, xrefs: 00560148
                                                        • kernel32.dll, xrefs: 00560133
                                                        • SleepConditionVariableCS, xrefs: 00560154
                                                        • api-ms-win-core-synch-l1-2-0.dll, xrefs: 00560122
                                                        • WakeAllConditionVariable, xrefs: 00560162
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
                                                        • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                                        • API String ID: 66158676-1714406822
                                                        • Opcode ID: 5b2251a6e4799b24f7fd27bff867d2ac3aa9d98ba8c0da6bf33a44301ac44483
                                                        • Instruction ID: 761c7cfe05a3165badc37f92482a9d8e5144a7052e1f0d0183c4c3f1b51bbda5
                                                        • Opcode Fuzzy Hash: 5b2251a6e4799b24f7fd27bff867d2ac3aa9d98ba8c0da6bf33a44301ac44483
                                                        • Instruction Fuzzy Hash: AB21FC326457126BE7206BB8AC0AB5B3F95FB56B61F145527F802D73D1DFB05804CB90
                                                        Function 005B44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CharLowerBuffW.USER32(00000000,00000000,005DCC08), ref: 005B4527
                                                        • _wcslen.LIBCMT ref: 005B453B
                                                        • _wcslen.LIBCMT ref: 005B4599
                                                        • _wcslen.LIBCMT ref: 005B45F4
                                                        • _wcslen.LIBCMT ref: 005B463F
                                                        • _wcslen.LIBCMT ref: 005B46A7
                                                          • Part of subcall function 0055F9F2: _wcslen.LIBCMT ref: 0055F9FD
                                                        • GetDriveTypeW.KERNEL32(?,00606BF0,00000061), ref: 005B4743
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: _wcslen$BuffCharDriveLowerType
                                                        • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                        • API String ID: 2055661098-1000479233
                                                        • Opcode ID: fc123340afcaefc9efc66eb11156eb7071c81605304df323bf356de827a115f6
                                                        • Instruction ID: b376ac3b9e687f4c9416d5f5b8c5256be53d2193ce537705b3b67faad0a41423
                                                        • Opcode Fuzzy Hash: fc123340afcaefc9efc66eb11156eb7071c81605304df323bf356de827a115f6
                                                        • Instruction Fuzzy Hash: CFB1DF716083029BC724DF28C895AAABFE5BFE5724F50491DF496C7292EB30E845CF52
                                                        Function 005D911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00559BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00559BB2
                                                        • DragQueryPoint.SHELL32(?,?), ref: 005D9147
                                                          • Part of subcall function 005D7674: ClientToScreen.USER32(?,?), ref: 005D769A
                                                          • Part of subcall function 005D7674: GetWindowRect.USER32(?,?), ref: 005D7710
                                                          • Part of subcall function 005D7674: PtInRect.USER32(?,?,005D8B89), ref: 005D7720
                                                        • SendMessageW.USER32(?,000000B0,?,?), ref: 005D91B0
                                                        • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 005D91BB
                                                        • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 005D91DE
                                                        • SendMessageW.USER32(?,000000C2,00000001,?), ref: 005D9225
                                                        • SendMessageW.USER32(?,000000B0,?,?), ref: 005D923E
                                                        • SendMessageW.USER32(?,000000B1,?,?), ref: 005D9255
                                                        • SendMessageW.USER32(?,000000B1,?,?), ref: 005D9277
                                                        • DragFinish.SHELL32(?), ref: 005D927E
                                                        • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 005D9371
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
                                                        • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#a
                                                        • API String ID: 221274066-1258061203
                                                        • Opcode ID: c993aed045d6650c57527e20412e6634f866a69dad592db81361b023f4ac9dc6
                                                        • Instruction ID: c12d251aa3fd0ad2974fb12b88c212d3ce3ab4e48aebb9a903df8455f8ea19b7
                                                        • Opcode Fuzzy Hash: c993aed045d6650c57527e20412e6634f866a69dad592db81361b023f4ac9dc6
                                                        • Instruction Fuzzy Hash: 2E615771108302AFC711DF64DC89DABBFE9FBD9354F00092EF595962A1DB309A49CB52
                                                        Function 0054326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetMenuItemCount.USER32(00611990), ref: 00582F8D
                                                        • GetMenuItemCount.USER32(00611990), ref: 0058303D
                                                        • GetCursorPos.USER32(?), ref: 00583081
                                                        • SetForegroundWindow.USER32(00000000), ref: 0058308A
                                                        • TrackPopupMenuEx.USER32(00611990,00000000,?,00000000,00000000,00000000), ref: 0058309D
                                                        • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 005830A9
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
                                                        • String ID: 0
                                                        • API String ID: 36266755-4108050209
                                                        • Opcode ID: 7e28c55470f6a6cc600fdfee376d61b46fd225850795365252b28352ce373e68
                                                        • Instruction ID: 3606de381c1f0d37efd797d14e683eead3aca198eab6544b89e7ca7ae88a002f
                                                        • Opcode Fuzzy Hash: 7e28c55470f6a6cc600fdfee376d61b46fd225850795365252b28352ce373e68
                                                        • Instruction Fuzzy Hash: FD71F870645206BEEB219F24DC4DFAABF68FF05324F204217FA246A1E1C7B1AD14DB90
                                                        Function 005D6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • DestroyWindow.USER32(00000000,?), ref: 005D6DEB
                                                          • Part of subcall function 00546B57: _wcslen.LIBCMT ref: 00546B6A
                                                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 005D6E5F
                                                        • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 005D6E81
                                                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 005D6E94
                                                        • DestroyWindow.USER32(?), ref: 005D6EB5
                                                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00540000,00000000), ref: 005D6EE4
                                                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 005D6EFD
                                                        • GetDesktopWindow.USER32 ref: 005D6F16
                                                        • GetWindowRect.USER32(00000000), ref: 005D6F1D
                                                        • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 005D6F35
                                                        • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 005D6F4D
                                                          • Part of subcall function 00559944: GetWindowLongW.USER32(?,000000EB), ref: 00559952
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
                                                        • String ID: 0$tooltips_class32
                                                        • API String ID: 2429346358-3619404913
                                                        • Opcode ID: db15d8015b09b4d1aff481193f36cb732760fc57e6ff7fc1fb3ba5b6df277330
                                                        • Instruction ID: 59164339c3108ee67bb00eb85407ebd2a521d0ec9d1a6d44d6423d4c671b8750
                                                        • Opcode Fuzzy Hash: db15d8015b09b4d1aff481193f36cb732760fc57e6ff7fc1fb3ba5b6df277330
                                                        • Instruction Fuzzy Hash: DD713974144246AFDB21CF1CD884AAABFE9FB89304F04491FF9998B361C770E90ADB11
                                                        Function 005BC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 005BC4B0
                                                        • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 005BC4C3
                                                        • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 005BC4D7
                                                        • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 005BC4F0
                                                        • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 005BC533
                                                        • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 005BC549
                                                        • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 005BC554
                                                        • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 005BC584
                                                        • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 005BC5DC
                                                        • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 005BC5F0
                                                        • InternetCloseHandle.WININET(00000000), ref: 005BC5FB
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
                                                        • String ID:
                                                        • API String ID: 3800310941-3916222277
                                                        • Opcode ID: b8ca1dc2557e209be5297d6618a7665325c5bbf76c357339d2a37d18dfc52b2c
                                                        • Instruction ID: c06b0809fe7354d75a14f5afa33bbc684854837840dd9c1fbe3eb9dbdb14184a
                                                        • Opcode Fuzzy Hash: b8ca1dc2557e209be5297d6618a7665325c5bbf76c357339d2a37d18dfc52b2c
                                                        • Instruction Fuzzy Hash: 15514AB0501609BFDB318F64C988AAA7FBCFF18744F00441AF945D6250DB30FA48EBA4
                                                        Function 005D856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 005D8592
                                                        • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 005D85A2
                                                        • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 005D85AD
                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 005D85BA
                                                        • GlobalLock.KERNEL32(00000000), ref: 005D85C8
                                                        • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 005D85D7
                                                        • GlobalUnlock.KERNEL32(00000000), ref: 005D85E0
                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 005D85E7
                                                        • CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 005D85F8
                                                        • OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,005DFC38,?), ref: 005D8611
                                                        • GlobalFree.KERNEL32(00000000), ref: 005D8621
                                                        • GetObjectW.GDI32(?,00000018,?), ref: 005D8641
                                                        • CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 005D8671
                                                        • DeleteObject.GDI32(?), ref: 005D8699
                                                        • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 005D86AF
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                        • String ID:
                                                        • API String ID: 3840717409-0
                                                        • Opcode ID: d97dc37eb336c597f55b1caf2a41a5ee6621fa58712f3215e3663bf96a214061
                                                        • Instruction ID: 26a71ded23797f95bb54972f213c5959d165aa2da602177d72fbcaeb9bbc0eea
                                                        • Opcode Fuzzy Hash: d97dc37eb336c597f55b1caf2a41a5ee6621fa58712f3215e3663bf96a214061
                                                        • Instruction Fuzzy Hash: F2411875601205AFDB219FA9DC48EAA7FBCFF99711F10415BF905E7260DB309905DB20
                                                        Function 005B14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • VariantInit.OLEAUT32(00000000), ref: 005B1502
                                                        • VariantCopy.OLEAUT32(?,?), ref: 005B150B
                                                        • VariantClear.OLEAUT32(?), ref: 005B1517
                                                        • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 005B15FB
                                                        • VarR8FromDec.OLEAUT32(?,?), ref: 005B1657
                                                        • VariantInit.OLEAUT32(?), ref: 005B1708
                                                        • SysFreeString.OLEAUT32(?), ref: 005B178C
                                                        • VariantClear.OLEAUT32(?), ref: 005B17D8
                                                        • VariantClear.OLEAUT32(?), ref: 005B17E7
                                                        • VariantInit.OLEAUT32(00000000), ref: 005B1823
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
                                                        • String ID: %4d%02d%02d%02d%02d%02d$Default
                                                        • API String ID: 1234038744-3931177956
                                                        • Opcode ID: fd754721d3f48012d8b685941fc23cccf1bc55116aa8ef5f57adff5ac2a69978
                                                        • Instruction ID: aa5403c52eff0618cac9be446ae6fa4c5ea3cd4fb7fbe99967e8e5683f7d67b7
                                                        • Opcode Fuzzy Hash: fd754721d3f48012d8b685941fc23cccf1bc55116aa8ef5f57adff5ac2a69978
                                                        • Instruction Fuzzy Hash: 84D1F172600906EBDB609F64E8A9BB9BFB5BF85700F908556F806AB1C0DB30EC44DF55
                                                        Function 005CB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00549CB3: _wcslen.LIBCMT ref: 00549CBD
                                                          • Part of subcall function 005CC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,005CB6AE,?,?), ref: 005CC9B5
                                                          • Part of subcall function 005CC998: _wcslen.LIBCMT ref: 005CC9F1
                                                          • Part of subcall function 005CC998: _wcslen.LIBCMT ref: 005CCA68
                                                          • Part of subcall function 005CC998: _wcslen.LIBCMT ref: 005CCA9E
                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 005CB6F4
                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 005CB772
                                                        • RegDeleteValueW.ADVAPI32(?,?), ref: 005CB80A
                                                        • RegCloseKey.ADVAPI32(?), ref: 005CB87E
                                                        • RegCloseKey.ADVAPI32(?), ref: 005CB89C
                                                        • LoadLibraryA.KERNEL32(advapi32.dll), ref: 005CB8F2
                                                        • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 005CB904
                                                        • RegDeleteKeyW.ADVAPI32(?,?), ref: 005CB922
                                                        • FreeLibrary.KERNEL32(00000000), ref: 005CB983
                                                        • RegCloseKey.ADVAPI32(00000000), ref: 005CB994
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
                                                        • String ID: RegDeleteKeyExW$advapi32.dll
                                                        • API String ID: 146587525-4033151799
                                                        • Opcode ID: be405e8345922c4884ad380bfbb97f5710f6d2aa0c407c5e2b549b4a91d4b0f7
                                                        • Instruction ID: 5288d7809f557f1755275622fadcec83476fde2742bf3f96423962e3e7a736c5
                                                        • Opcode Fuzzy Hash: be405e8345922c4884ad380bfbb97f5710f6d2aa0c407c5e2b549b4a91d4b0f7
                                                        • Instruction Fuzzy Hash: F0C17C30205202AFE714DF54C49AF6ABFE5FF84308F14855DE49A8B2A2CB75ED45CB91
                                                        Function 005C255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetDC.USER32(00000000), ref: 005C25D8
                                                        • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 005C25E8
                                                        • CreateCompatibleDC.GDI32(?), ref: 005C25F4
                                                        • SelectObject.GDI32(00000000,?), ref: 005C2601
                                                        • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 005C266D
                                                        • GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 005C26AC
                                                        • GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 005C26D0
                                                        • SelectObject.GDI32(?,?), ref: 005C26D8
                                                        • DeleteObject.GDI32(?), ref: 005C26E1
                                                        • DeleteDC.GDI32(?), ref: 005C26E8
                                                        • ReleaseDC.USER32(00000000,?), ref: 005C26F3
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                        • String ID: (
                                                        • API String ID: 2598888154-3887548279
                                                        • Opcode ID: a9f299145700d80611d1244c2f1dac8e4c2ea8e39065a7bcce01c984ed7c5062
                                                        • Instruction ID: 1af010650880fd0bcd6ec08032a16cd16abf78c951f4a9d7b19db37c5a8cb26a
                                                        • Opcode Fuzzy Hash: a9f299145700d80611d1244c2f1dac8e4c2ea8e39065a7bcce01c984ed7c5062
                                                        • Instruction Fuzzy Hash: 4461E27590021AAFCF14CFE8D885EAEBBB5FF48310F20851AE956A7250D770A941DF60
                                                        Function 0057DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • ___free_lconv_mon.LIBCMT ref: 0057DAA1
                                                          • Part of subcall function 0057D63C: _free.LIBCMT ref: 0057D659
                                                          • Part of subcall function 0057D63C: _free.LIBCMT ref: 0057D66B
                                                          • Part of subcall function 0057D63C: _free.LIBCMT ref: 0057D67D
                                                          • Part of subcall function 0057D63C: _free.LIBCMT ref: 0057D68F
                                                          • Part of subcall function 0057D63C: _free.LIBCMT ref: 0057D6A1
                                                          • Part of subcall function 0057D63C: _free.LIBCMT ref: 0057D6B3
                                                          • Part of subcall function 0057D63C: _free.LIBCMT ref: 0057D6C5
                                                          • Part of subcall function 0057D63C: _free.LIBCMT ref: 0057D6D7
                                                          • Part of subcall function 0057D63C: _free.LIBCMT ref: 0057D6E9
                                                          • Part of subcall function 0057D63C: _free.LIBCMT ref: 0057D6FB
                                                          • Part of subcall function 0057D63C: _free.LIBCMT ref: 0057D70D
                                                          • Part of subcall function 0057D63C: _free.LIBCMT ref: 0057D71F
                                                          • Part of subcall function 0057D63C: _free.LIBCMT ref: 0057D731
                                                        • _free.LIBCMT ref: 0057DA96
                                                          • Part of subcall function 005729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0057D7D1,00000000,00000000,00000000,00000000,?,0057D7F8,00000000,00000007,00000000,?,0057DBF5,00000000), ref: 005729DE
                                                          • Part of subcall function 005729C8: GetLastError.KERNEL32(00000000,?,0057D7D1,00000000,00000000,00000000,00000000,?,0057D7F8,00000000,00000007,00000000,?,0057DBF5,00000000,00000000), ref: 005729F0
                                                        • _free.LIBCMT ref: 0057DAB8
                                                        • _free.LIBCMT ref: 0057DACD
                                                        • _free.LIBCMT ref: 0057DAD8
                                                        • _free.LIBCMT ref: 0057DAFA
                                                        • _free.LIBCMT ref: 0057DB0D
                                                        • _free.LIBCMT ref: 0057DB1B
                                                        • _free.LIBCMT ref: 0057DB26
                                                        • _free.LIBCMT ref: 0057DB5E
                                                        • _free.LIBCMT ref: 0057DB65
                                                        • _free.LIBCMT ref: 0057DB82
                                                        • _free.LIBCMT ref: 0057DB9A
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                        • String ID:
                                                        • API String ID: 161543041-0
                                                        • Opcode ID: e4a791b4aab1e68538148364f06ab9b7529e420377a07c3ba4c684cc2a44995e
                                                        • Instruction ID: 4f6262a9b1e223bc3e2d45b77fb775d55e083b1c855093a1cbb14ac19d74024e
                                                        • Opcode Fuzzy Hash: e4a791b4aab1e68538148364f06ab9b7529e420377a07c3ba4c684cc2a44995e
                                                        • Instruction Fuzzy Hash: FC314A316442069FEB21AA39F849B5ABFF9FF40310F19C419E54DD7191DB31AC80AB30
                                                        Function 005A365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetClassNameW.USER32(?,?,00000100), ref: 005A369C
                                                        • _wcslen.LIBCMT ref: 005A36A7
                                                        • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 005A3797
                                                        • GetClassNameW.USER32(?,?,00000400), ref: 005A380C
                                                        • GetDlgCtrlID.USER32(?), ref: 005A385D
                                                        • GetWindowRect.USER32(?,?), ref: 005A3882
                                                        • GetParent.USER32(?), ref: 005A38A0
                                                        • ScreenToClient.USER32(00000000), ref: 005A38A7
                                                        • GetClassNameW.USER32(?,?,00000100), ref: 005A3921
                                                        • GetWindowTextW.USER32(?,?,00000400), ref: 005A395D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
                                                        • String ID: %s%u
                                                        • API String ID: 4010501982-679674701
                                                        • Opcode ID: 6a8458e2785e46b2333d673e3f05aab6ec7a3c14bc1531e6f4f63d559a4b09cc
                                                        • Instruction ID: 0c05c93c24cf2a3d98a5ab0e46df4ccde1bf326717c8c7841a1de05dabe8f39f
                                                        • Opcode Fuzzy Hash: 6a8458e2785e46b2333d673e3f05aab6ec7a3c14bc1531e6f4f63d559a4b09cc
                                                        • Instruction Fuzzy Hash: 3D91B471205607AFD719DF24C885BAEFBA8FF45354F00462AF999C2190DB34EA49CB91
                                                        Function 005A4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetClassNameW.USER32(?,?,00000400), ref: 005A4994
                                                        • GetWindowTextW.USER32(?,?,00000400), ref: 005A49DA
                                                        • _wcslen.LIBCMT ref: 005A49EB
                                                        • CharUpperBuffW.USER32(?,00000000), ref: 005A49F7
                                                        • _wcsstr.LIBVCRUNTIME ref: 005A4A2C
                                                        • GetClassNameW.USER32(00000018,?,00000400), ref: 005A4A64
                                                        • GetWindowTextW.USER32(?,?,00000400), ref: 005A4A9D
                                                        • GetClassNameW.USER32(00000018,?,00000400), ref: 005A4AE6
                                                        • GetClassNameW.USER32(?,?,00000400), ref: 005A4B20
                                                        • GetWindowRect.USER32(?,?), ref: 005A4B8B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
                                                        • String ID: ThumbnailClass
                                                        • API String ID: 1311036022-1241985126
                                                        • Opcode ID: d5edf3b6c18b6178b4aad91a01dd282b9950cf59c4ae869f130855001698a1d5
                                                        • Instruction ID: 512396d97253031e12448385a21d11e5671cf5374ae6e64c1e4b7c5dc1f86c9e
                                                        • Opcode Fuzzy Hash: d5edf3b6c18b6178b4aad91a01dd282b9950cf59c4ae869f130855001698a1d5
                                                        • Instruction Fuzzy Hash: 0C919D7110420A9FDB04CF94C985BAA7FA9FFC6314F04846AFD869A096DB70ED45CFA1
                                                        Function 005D8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00559BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00559BB2
                                                        • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 005D8D5A
                                                        • GetFocus.USER32 ref: 005D8D6A
                                                        • GetDlgCtrlID.USER32(00000000), ref: 005D8D75
                                                        • DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 005D8E1D
                                                        • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 005D8ECF
                                                        • GetMenuItemCount.USER32(?), ref: 005D8EEC
                                                        • GetMenuItemID.USER32(?,00000000), ref: 005D8EFC
                                                        • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 005D8F2E
                                                        • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 005D8F70
                                                        • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 005D8FA1
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
                                                        • String ID: 0
                                                        • API String ID: 1026556194-4108050209
                                                        • Opcode ID: f487f745c6a073833af9d45b5750ce233eff6a09962a757a7d66b55156ea677e
                                                        • Instruction ID: d3cb4d162c5e9aae00eb07eb6d42d94c0f108620cb20094746a841ec9bfaf6b1
                                                        • Opcode Fuzzy Hash: f487f745c6a073833af9d45b5750ce233eff6a09962a757a7d66b55156ea677e
                                                        • Instruction Fuzzy Hash: D5818C715083029BDB20CF28D884ABB7FEAFB88714F040A5BF9949B391DB30D904DB61
                                                        Function 005ABF30 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetMenuItemInfoW.USER32(00611990,000000FF,00000000,00000030), ref: 005ABFAC
                                                        • SetMenuItemInfoW.USER32(00611990,00000004,00000000,00000030), ref: 005ABFE1
                                                        • Sleep.KERNEL32(000001F4), ref: 005ABFF3
                                                        • GetMenuItemCount.USER32(?), ref: 005AC039
                                                        • GetMenuItemID.USER32(?,00000000), ref: 005AC056
                                                        • GetMenuItemID.USER32(?,-00000001), ref: 005AC082
                                                        • GetMenuItemID.USER32(?,?), ref: 005AC0C9
                                                        • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 005AC10F
                                                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 005AC124
                                                        • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 005AC145
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: ItemMenu$Info$CheckCountRadioSleep
                                                        • String ID: 0
                                                        • API String ID: 1460738036-4108050209
                                                        • Opcode ID: e39d0c383e50496abc669cd6fbfddede4c755471b99632823cac63471884d743
                                                        • Instruction ID: 6535f08143792e7d28e855373662a551fe469333413c5baaf603040ff66dfa14
                                                        • Opcode Fuzzy Hash: e39d0c383e50496abc669cd6fbfddede4c755471b99632823cac63471884d743
                                                        • Instruction Fuzzy Hash: CF618EB0A0024AAFDF21CF64DD88AEE7FB8FB46344F044556F911A7292D731AD04DBA0
                                                        Function 005ADC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetFileVersionInfoSizeW.VERSION(?,?), ref: 005ADC20
                                                        • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 005ADC46
                                                        • _wcslen.LIBCMT ref: 005ADC50
                                                        • _wcsstr.LIBVCRUNTIME ref: 005ADCA0
                                                        • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 005ADCBC
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
                                                        • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                        • API String ID: 1939486746-1459072770
                                                        • Opcode ID: 2b1254b74c34044a5c24abe5c5b11fe7a1391faf1bad728478376f36d80f07e7
                                                        • Instruction ID: 4932407e16ab9e64e052f83bce638369cead8f14b4836d0f37c9d43a312d4620
                                                        • Opcode Fuzzy Hash: 2b1254b74c34044a5c24abe5c5b11fe7a1391faf1bad728478376f36d80f07e7
                                                        • Instruction Fuzzy Hash: 2F41F4729402067AEB14A664DC0BEBF7F7CFF92720F10046AF901A7182EA70990097B5
                                                        Function 005CCC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 005CCC64
                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 005CCC8D
                                                        • FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 005CCD48
                                                          • Part of subcall function 005CCC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 005CCCAA
                                                          • Part of subcall function 005CCC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 005CCCBD
                                                          • Part of subcall function 005CCC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 005CCCCF
                                                          • Part of subcall function 005CCC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 005CCD05
                                                          • Part of subcall function 005CCC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 005CCD28
                                                        • RegDeleteKeyW.ADVAPI32(?,?), ref: 005CCCF3
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
                                                        • String ID: RegDeleteKeyExW$advapi32.dll
                                                        • API String ID: 2734957052-4033151799
                                                        • Opcode ID: e87e877b76166310ea6d461a3ed65af32bb5633e31f10e6aabf545bc97009a2a
                                                        • Instruction ID: eb496a767e4477ce555db7bafb6ae7bbba84789bfbdf7e5507a46040448b0864
                                                        • Opcode Fuzzy Hash: e87e877b76166310ea6d461a3ed65af32bb5633e31f10e6aabf545bc97009a2a
                                                        • Instruction Fuzzy Hash: D0315471942129BFD7208B94DC88EFFBF7CEF55750F00416AE91AE6140D6345E45EAA0
                                                        Function 005B3D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 005B3D40
                                                        • _wcslen.LIBCMT ref: 005B3D6D
                                                        • CreateDirectoryW.KERNEL32(?,00000000), ref: 005B3D9D
                                                        • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 005B3DBE
                                                        • RemoveDirectoryW.KERNEL32(?), ref: 005B3DCE
                                                        • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 005B3E55
                                                        • CloseHandle.KERNEL32(00000000), ref: 005B3E60
                                                        • CloseHandle.KERNEL32(00000000), ref: 005B3E6B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
                                                        • String ID: :$\$\??\%s
                                                        • API String ID: 1149970189-3457252023
                                                        • Opcode ID: 637a9d8e2d94ac0c0ecd3c696cc1809eee8ce0f9de8c7634b789cde28b11021b
                                                        • Instruction ID: aabbd8614f6e0b1ca9e47bc045af9e37ad73d8f5990560d37d57f19deaceb26b
                                                        • Opcode Fuzzy Hash: 637a9d8e2d94ac0c0ecd3c696cc1809eee8ce0f9de8c7634b789cde28b11021b
                                                        • Instruction Fuzzy Hash: 083192B594021AABDB209BA0DC49FEF3BBCFF88740F5041A6F505E6160EB709744CB24
                                                        Function 005AE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • timeGetTime.WINMM ref: 005AE6B4
                                                          • Part of subcall function 0055E551: timeGetTime.WINMM(?,?,005AE6D4), ref: 0055E555
                                                        • Sleep.KERNEL32(0000000A), ref: 005AE6E1
                                                        • EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 005AE705
                                                        • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 005AE727
                                                        • SetActiveWindow.USER32 ref: 005AE746
                                                        • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 005AE754
                                                        • SendMessageW.USER32(00000010,00000000,00000000), ref: 005AE773
                                                        • Sleep.KERNEL32(000000FA), ref: 005AE77E
                                                        • IsWindow.USER32 ref: 005AE78A
                                                        • EndDialog.USER32(00000000), ref: 005AE79B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                        • String ID: BUTTON
                                                        • API String ID: 1194449130-3405671355
                                                        • Opcode ID: 213b8b71d21a5be65ceb20753396ef08ca2e7338c0fc7471582e162b730cae37
                                                        • Instruction ID: 628da7d1428673cc45043f491bbf32d6d2cb23313fd432408eda19becb94fc76
                                                        • Opcode Fuzzy Hash: 213b8b71d21a5be65ceb20753396ef08ca2e7338c0fc7471582e162b730cae37
                                                        • Instruction Fuzzy Hash: 9C21F370300247AFEB105F20FC9AB6A3F6AF7A6349F046827F511821E1DB71AC54DA60
                                                        Function 005AE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00549CB3: _wcslen.LIBCMT ref: 00549CBD
                                                        • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 005AEA5D
                                                        • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 005AEA73
                                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 005AEA84
                                                        • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 005AEA96
                                                        • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 005AEAA7
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: SendString$_wcslen
                                                        • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                        • API String ID: 2420728520-1007645807
                                                        • Opcode ID: 728fed25af94c776429f4ce295580837a2b39723c35959be88d556ced92d21c5
                                                        • Instruction ID: 6ff609014fd0744ea546c653e1d85550a289198d6bc96a70206c1570e30bd79d
                                                        • Opcode Fuzzy Hash: 728fed25af94c776429f4ce295580837a2b39723c35959be88d556ced92d21c5
                                                        • Instruction Fuzzy Hash: FA115131AD025A79E724A7A5DC4FEFF6FBDFBD2B44F0104297411A20D1EAB00915C5B0
                                                        Function 005A5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetDlgItem.USER32(?,00000001), ref: 005A5CE2
                                                        • GetWindowRect.USER32(00000000,?), ref: 005A5CFB
                                                        • MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 005A5D59
                                                        • GetDlgItem.USER32(?,00000002), ref: 005A5D69
                                                        • GetWindowRect.USER32(00000000,?), ref: 005A5D7B
                                                        • MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 005A5DCF
                                                        • GetDlgItem.USER32(?,000003E9), ref: 005A5DDD
                                                        • GetWindowRect.USER32(00000000,?), ref: 005A5DEF
                                                        • MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 005A5E31
                                                        • GetDlgItem.USER32(?,000003EA), ref: 005A5E44
                                                        • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 005A5E5A
                                                        • InvalidateRect.USER32(?,00000000,00000001), ref: 005A5E67
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Window$ItemMoveRect$Invalidate
                                                        • String ID:
                                                        • API String ID: 3096461208-0
                                                        • Opcode ID: 5dac870496e53ad484ae5a0795b326d35c9c817299f12a93c3fe2d4f38ed066e
                                                        • Instruction ID: 2f5ca8fd82e2f8e4c22b6dffae172f5f835ab4bcd00090c1aea77e29f6488509
                                                        • Opcode Fuzzy Hash: 5dac870496e53ad484ae5a0795b326d35c9c817299f12a93c3fe2d4f38ed066e
                                                        • Instruction Fuzzy Hash: 45510F71A00605AFDF18CF68DD89EAEBFB9FB59310F148129F516E6290E7709E04DB50
                                                        Function 00558BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00558F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00558BE8,?,00000000,?,?,?,?,00558BBA,00000000,?), ref: 00558FC5
                                                        • DestroyWindow.USER32(?), ref: 00558C81
                                                        • KillTimer.USER32(00000000,?,?,?,?,00558BBA,00000000,?), ref: 00558D1B
                                                        • DestroyAcceleratorTable.USER32(00000000), ref: 00596973
                                                        • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00558BBA,00000000,?), ref: 005969A1
                                                        • ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00558BBA,00000000,?), ref: 005969B8
                                                        • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00558BBA,00000000), ref: 005969D4
                                                        • DeleteObject.GDI32(00000000), ref: 005969E6
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                        • String ID:
                                                        • API String ID: 641708696-0
                                                        • Opcode ID: 0a994c684c0ca9a53d65531e2d0851f64b2d641ebf287bf3cecec43677b2bd79
                                                        • Instruction ID: b2d54760dc31707305bd02a60057e0843a1d43e0d3e34f01971d8031a886b727
                                                        • Opcode Fuzzy Hash: 0a994c684c0ca9a53d65531e2d0851f64b2d641ebf287bf3cecec43677b2bd79
                                                        • Instruction Fuzzy Hash: D4618A30102601DFCF319F18D968B797FF2FB51312F18991BE542AAA60CB31AC88DB90
                                                        Function 00559838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00559944: GetWindowLongW.USER32(?,000000EB), ref: 00559952
                                                        • GetSysColor.USER32(0000000F), ref: 00559862
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: ColorLongWindow
                                                        • String ID:
                                                        • API String ID: 259745315-0
                                                        • Opcode ID: 98d2b00ba671630f764be8652582df741cf31ae016ba99b00699f7ce57c64b05
                                                        • Instruction ID: 843d9e5f98704ca380a46d3b904a995e8a8824ab491eb955c87d59b1c2defcc2
                                                        • Opcode Fuzzy Hash: 98d2b00ba671630f764be8652582df741cf31ae016ba99b00699f7ce57c64b05
                                                        • Instruction Fuzzy Hash: 7D41BD31105615EFDF205F389C98BB93FA5BB16332F144647F9A28B2E2D734984AEB50
                                                        Function 00578D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: .V
                                                        • API String ID: 0-732867087
                                                        • Opcode ID: f4b57874657b90e0d145e07660402b082dbf5ee8f0f1b97ccb75d9512a0fccc0
                                                        • Instruction ID: b6511eace8293dd4d5381a12e71b221217a996a1f763a291d5ea1ef43f0634c4
                                                        • Opcode Fuzzy Hash: f4b57874657b90e0d145e07660402b082dbf5ee8f0f1b97ccb75d9512a0fccc0
                                                        • Instruction Fuzzy Hash: E9C1E574D042499FDF11DFA8E849BADBFB5BF49310F088096E91897392C7309941EB71
                                                        Function 005A96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0058F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 005A9717
                                                        • LoadStringW.USER32(00000000,?,0058F7F8,00000001), ref: 005A9720
                                                          • Part of subcall function 00549CB3: _wcslen.LIBCMT ref: 00549CBD
                                                        • GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0058F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 005A9742
                                                        • LoadStringW.USER32(00000000,?,0058F7F8,00000001), ref: 005A9745
                                                        • MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 005A9866
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: HandleLoadModuleString$Message_wcslen
                                                        • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                        • API String ID: 747408836-2268648507
                                                        • Opcode ID: 06ec747ec8343a0c64c177fc0dcedc6143a2116e7aa17400c0a89518eb031072
                                                        • Instruction ID: a0ab0da2bd0938fd999ee7ab559e5a9165d4a83561e9b2c22089623d21ea9ed8
                                                        • Opcode Fuzzy Hash: 06ec747ec8343a0c64c177fc0dcedc6143a2116e7aa17400c0a89518eb031072
                                                        • Instruction Fuzzy Hash: 2541407284021AAADF04EBE0DD8ADEF7B79BF95344F100425B601720A2EA355F48CB61
                                                        Function 005A06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00546B57: _wcslen.LIBCMT ref: 00546B6A
                                                        • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 005A07A2
                                                        • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 005A07BE
                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 005A07DA
                                                        • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 005A0804
                                                        • CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 005A082C
                                                        • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 005A0837
                                                        • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 005A083C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
                                                        • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                        • API String ID: 323675364-22481851
                                                        • Opcode ID: 36c544534a9e865f26e25c98c12cf16ffb3ca2e01eead1f52cb68091920ac453
                                                        • Instruction ID: d2fd9e020804d05babe1412fab6114cd7142f744e90e4a09a3727393e353c2f0
                                                        • Opcode Fuzzy Hash: 36c544534a9e865f26e25c98c12cf16ffb3ca2e01eead1f52cb68091920ac453
                                                        • Instruction Fuzzy Hash: 64410B72C1122AABDF25EF94DC99DEEBB78FF54354F154126E901A31A1EB309E04CB90
                                                        Function 005C3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • VariantInit.OLEAUT32(?), ref: 005C3C5C
                                                        • CoInitialize.OLE32(00000000), ref: 005C3C8A
                                                        • CoUninitialize.OLE32 ref: 005C3C94
                                                        • _wcslen.LIBCMT ref: 005C3D2D
                                                        • GetRunningObjectTable.OLE32(00000000,?), ref: 005C3DB1
                                                        • SetErrorMode.KERNEL32(00000001,00000029), ref: 005C3ED5
                                                        • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 005C3F0E
                                                        • CoGetObject.OLE32(?,00000000,005DFB98,?), ref: 005C3F2D
                                                        • SetErrorMode.KERNEL32(00000000), ref: 005C3F40
                                                        • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 005C3FC4
                                                        • VariantClear.OLEAUT32(?), ref: 005C3FD8
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
                                                        • String ID:
                                                        • API String ID: 429561992-0
                                                        • Opcode ID: e00865b4527a8f10f4d2afc809c4a10782c47fc4b22e6bbb3530a5b447b87c0a
                                                        • Instruction ID: 2e490825c0fb5279ccac2d3848253620d75d61073fd9529be5e8de0fa95cb419
                                                        • Opcode Fuzzy Hash: e00865b4527a8f10f4d2afc809c4a10782c47fc4b22e6bbb3530a5b447b87c0a
                                                        • Instruction Fuzzy Hash: AAC115716082059FD710DFA8C884E6BBBE9FF89748F14891DF98A9B250D731ED05CB52
                                                        Function 005B7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CoInitialize.OLE32(00000000), ref: 005B7AF3
                                                        • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 005B7B8F
                                                        • SHGetDesktopFolder.SHELL32(?), ref: 005B7BA3
                                                        • CoCreateInstance.OLE32(005DFD08,00000000,00000001,00606E6C,?), ref: 005B7BEF
                                                        • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 005B7C74
                                                        • CoTaskMemFree.OLE32(?,?), ref: 005B7CCC
                                                        • SHBrowseForFolderW.SHELL32(?), ref: 005B7D57
                                                        • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 005B7D7A
                                                        • CoTaskMemFree.OLE32(00000000), ref: 005B7D81
                                                        • CoTaskMemFree.OLE32(00000000), ref: 005B7DD6
                                                        • CoUninitialize.OLE32 ref: 005B7DDC
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
                                                        • String ID:
                                                        • API String ID: 2762341140-0
                                                        • Opcode ID: 4ea0be77749094288304710bd735b4e32610367efb107c6953cd765b44dcd1e1
                                                        • Instruction ID: 2df1b5fb315e6503f3f3085d6f0bee2dea681a1d7c9d1e6c8e92235c3517c00c
                                                        • Opcode Fuzzy Hash: 4ea0be77749094288304710bd735b4e32610367efb107c6953cd765b44dcd1e1
                                                        • Instruction Fuzzy Hash: 73C10975A04109AFCB14DFA4C898DAEBFB9FF88304B148599E8199B261D731EE45CB90
                                                        Function 005D541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 005D5504
                                                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 005D5515
                                                        • CharNextW.USER32(00000158), ref: 005D5544
                                                        • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 005D5585
                                                        • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 005D559B
                                                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 005D55AC
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$CharNext
                                                        • String ID:
                                                        • API String ID: 1350042424-0
                                                        • Opcode ID: 75a91feae42a8e26e44708cb6aa32247fe9f2ca5034ecef6bea6dde7ed0a162c
                                                        • Instruction ID: 304ff639c9fffb9efba73cefd0cf79d1ac377ff1f2ca130274096f6961057bec
                                                        • Opcode Fuzzy Hash: 75a91feae42a8e26e44708cb6aa32247fe9f2ca5034ecef6bea6dde7ed0a162c
                                                        • Instruction Fuzzy Hash: F0616D30901609EBDF219F58CC849FE7FB9FB09761F10854BF925AA390E7748A84DB61
                                                        Function 0059FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0059FAAF
                                                        • SafeArrayAllocData.OLEAUT32(?), ref: 0059FB08
                                                        • VariantInit.OLEAUT32(?), ref: 0059FB1A
                                                        • SafeArrayAccessData.OLEAUT32(?,?), ref: 0059FB3A
                                                        • VariantCopy.OLEAUT32(?,?), ref: 0059FB8D
                                                        • SafeArrayUnaccessData.OLEAUT32(?), ref: 0059FBA1
                                                        • VariantClear.OLEAUT32(?), ref: 0059FBB6
                                                        • SafeArrayDestroyData.OLEAUT32(?), ref: 0059FBC3
                                                        • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0059FBCC
                                                        • VariantClear.OLEAUT32(?), ref: 0059FBDE
                                                        • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0059FBE9
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                        • String ID:
                                                        • API String ID: 2706829360-0
                                                        • Opcode ID: c7f4d222721622df649788d12b273a53ab2ebc41477aa09796b43058cc5e6199
                                                        • Instruction ID: bef6c37883c3e6abeea9f52f6fc87b2d94de3f5151150cb55ded1ab8d6c8511d
                                                        • Opcode Fuzzy Hash: c7f4d222721622df649788d12b273a53ab2ebc41477aa09796b43058cc5e6199
                                                        • Instruction Fuzzy Hash: 17416035A0121AAFCF10DF64C8589EEBFB9FF58345F00806AE905E7261DB70A945DF90
                                                        Function 005A9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetKeyboardState.USER32(?), ref: 005A9CA1
                                                        • GetAsyncKeyState.USER32(000000A0), ref: 005A9D22
                                                        • GetKeyState.USER32(000000A0), ref: 005A9D3D
                                                        • GetAsyncKeyState.USER32(000000A1), ref: 005A9D57
                                                        • GetKeyState.USER32(000000A1), ref: 005A9D6C
                                                        • GetAsyncKeyState.USER32(00000011), ref: 005A9D84
                                                        • GetKeyState.USER32(00000011), ref: 005A9D96
                                                        • GetAsyncKeyState.USER32(00000012), ref: 005A9DAE
                                                        • GetKeyState.USER32(00000012), ref: 005A9DC0
                                                        • GetAsyncKeyState.USER32(0000005B), ref: 005A9DD8
                                                        • GetKeyState.USER32(0000005B), ref: 005A9DEA
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: State$Async$Keyboard
                                                        • String ID:
                                                        • API String ID: 541375521-0
                                                        • Opcode ID: 1e098a13cbdf6f4b9195db143aec5586aaf1c06e11abf56f44a4e0b195a69e6a
                                                        • Instruction ID: a973060a384d4baaa3ec823f0f8578600b7f60460615b535691e8e5b09af4950
                                                        • Opcode Fuzzy Hash: 1e098a13cbdf6f4b9195db143aec5586aaf1c06e11abf56f44a4e0b195a69e6a
                                                        • Instruction Fuzzy Hash: 9141D834504BDA69FF30866488543B9BFE07F23354F08805ADAC6565C2EBA49DC8C7A2
                                                        Function 005C055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • WSAStartup.WSOCK32(00000101,?), ref: 005C05BC
                                                        • inet_addr.WSOCK32(?), ref: 005C061C
                                                        • gethostbyname.WSOCK32(?), ref: 005C0628
                                                        • IcmpCreateFile.IPHLPAPI ref: 005C0636
                                                        • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 005C06C6
                                                        • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 005C06E5
                                                        • IcmpCloseHandle.IPHLPAPI(?), ref: 005C07B9
                                                        • WSACleanup.WSOCK32 ref: 005C07BF
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                        • String ID: Ping
                                                        • API String ID: 1028309954-2246546115
                                                        • Opcode ID: 443fc9ecc1cad3e44c5f69a80376a11d23ef28df11372c4e9890a23ebdc25d5b
                                                        • Instruction ID: 306ebc6f478b93df4dbbc50e7239b982b31a498ce46adbbe89c83bb885e3206a
                                                        • Opcode Fuzzy Hash: 443fc9ecc1cad3e44c5f69a80376a11d23ef28df11372c4e9890a23ebdc25d5b
                                                        • Instruction Fuzzy Hash: A5914535608202DFD724DF55C889F1ABFE0FB84318F1499A9E4698B6A2C770ED45CF81
                                                        Function 005C8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: _wcslen$BuffCharLower
                                                        • String ID: cdecl$none$stdcall$winapi
                                                        • API String ID: 707087890-567219261
                                                        • Opcode ID: abbf7823cac493d0cd0244c72f180001928fb7dae6366ca8f5e63b979051fcf0
                                                        • Instruction ID: 8b34e15133d2a1c3488bf292e5f49c436c39bac5be1cb4d7cbf18aa789a1b1f7
                                                        • Opcode Fuzzy Hash: abbf7823cac493d0cd0244c72f180001928fb7dae6366ca8f5e63b979051fcf0
                                                        • Instruction Fuzzy Hash: 4B518F31A001179FCB14DFACC941ABEBBAABF65724B21462DE426E72C5DB35ED40C790
                                                        Function 005C372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CoInitialize.OLE32 ref: 005C3774
                                                        • CoUninitialize.OLE32 ref: 005C377F
                                                        • CoCreateInstance.OLE32(?,00000000,00000017,005DFB78,?), ref: 005C37D9
                                                        • IIDFromString.OLE32(?,?), ref: 005C384C
                                                        • VariantInit.OLEAUT32(?), ref: 005C38E4
                                                        • VariantClear.OLEAUT32(?), ref: 005C3936
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
                                                        • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                        • API String ID: 636576611-1287834457
                                                        • Opcode ID: a182cacf2f4cefeb0fa2f3b109d201eab58dc79957d0bd19f8deef34c3ea525b
                                                        • Instruction ID: 4142c53bf548ffaf65903711c3d0f1a5c7811d1392af98db0187427ec775e407
                                                        • Opcode Fuzzy Hash: a182cacf2f4cefeb0fa2f3b109d201eab58dc79957d0bd19f8deef34c3ea525b
                                                        • Instruction Fuzzy Hash: 5D616B71609206AFD310DF94C849F9ABFE4FF89715F00880EF9859B291D770EA48DB92
                                                        Function 005D8B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00559BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00559BB2
                                                          • Part of subcall function 0055912D: GetCursorPos.USER32(?), ref: 00559141
                                                          • Part of subcall function 0055912D: ScreenToClient.USER32(00000000,?), ref: 0055915E
                                                          • Part of subcall function 0055912D: GetAsyncKeyState.USER32(00000001), ref: 00559183
                                                          • Part of subcall function 0055912D: GetAsyncKeyState.USER32(00000002), ref: 0055919D
                                                        • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 005D8B6B
                                                        • ImageList_EndDrag.COMCTL32 ref: 005D8B71
                                                        • ReleaseCapture.USER32 ref: 005D8B77
                                                        • SetWindowTextW.USER32(?,00000000), ref: 005D8C12
                                                        • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 005D8C25
                                                        • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 005D8CFF
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                                        • String ID: @GUI_DRAGFILE$@GUI_DROPID$p#a
                                                        • API String ID: 1924731296-1177714147
                                                        • Opcode ID: 913e03ab58b937b6042f333eac677e26e269decc177fd88cee73da908f3676b0
                                                        • Instruction ID: 500b2246435a7bbf17861ecc2df43c9478fddf28a486230eee4b1d62caff6789
                                                        • Opcode Fuzzy Hash: 913e03ab58b937b6042f333eac677e26e269decc177fd88cee73da908f3676b0
                                                        • Instruction Fuzzy Hash: E9518C70105205AFD714DF24DC9ABAA7BE5FB88714F000A2BF9529B2E1DB709D48CB62
                                                        Function 005B3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 005B33CF
                                                          • Part of subcall function 00549CB3: _wcslen.LIBCMT ref: 00549CBD
                                                        • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 005B33F0
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: LoadString$_wcslen
                                                        • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                                        • API String ID: 4099089115-3080491070
                                                        • Opcode ID: 1843340a51905df598d93c0b1a5083aa853f3aadc6a3d69f36222a245cac262d
                                                        • Instruction ID: 333130b8526f2a89885407b7cbaa4439037060141ee6e73e12d2fd4e4fb17661
                                                        • Opcode Fuzzy Hash: 1843340a51905df598d93c0b1a5083aa853f3aadc6a3d69f36222a245cac262d
                                                        • Instruction Fuzzy Hash: E951B43294020AAADF14EBE0CD4AEEEBB79FF45344F144566F505720A2EB312F58DB61
                                                        Function 005AB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: _wcslen$BuffCharUpper
                                                        • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                        • API String ID: 1256254125-769500911
                                                        • Opcode ID: db0e68fbecfc9e0e2dbdfeef7e5b9ff4f8305bbc9279edf13cce80e8b8f2d847
                                                        • Instruction ID: 7ef7f774b8181af1aa720a618566c93b18a2d9a15abfadeffa5606017b3e541d
                                                        • Opcode Fuzzy Hash: db0e68fbecfc9e0e2dbdfeef7e5b9ff4f8305bbc9279edf13cce80e8b8f2d847
                                                        • Instruction Fuzzy Hash: D441B632A001279ADB205F7DC9905BE7FB5FFA2794B244629E461DB286E731CD81C7D0
                                                        Function 005B5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetErrorMode.KERNEL32(00000001), ref: 005B53A0
                                                        • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 005B5416
                                                        • GetLastError.KERNEL32 ref: 005B5420
                                                        • SetErrorMode.KERNEL32(00000000,READY), ref: 005B54A7
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Error$Mode$DiskFreeLastSpace
                                                        • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                        • API String ID: 4194297153-14809454
                                                        • Opcode ID: e7bf3de6c0b0bbaa00e11faacc2e26234ae959a393c7028e9bf90c66dd16d5c6
                                                        • Instruction ID: cd20a9067d511d466f30edf64cad59924d7b36c4adb4bd932793df52804c6fc8
                                                        • Opcode Fuzzy Hash: e7bf3de6c0b0bbaa00e11faacc2e26234ae959a393c7028e9bf90c66dd16d5c6
                                                        • Instruction Fuzzy Hash: E031A335A006059FDB18DF68C488BEABFB5FF45305F548466E405CB292EB71ED8ACB90
                                                        Function 005D3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateMenu.USER32 ref: 005D3C79
                                                        • SetMenu.USER32(?,00000000), ref: 005D3C88
                                                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 005D3D10
                                                        • IsMenu.USER32(?), ref: 005D3D24
                                                        • CreatePopupMenu.USER32 ref: 005D3D2E
                                                        • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 005D3D5B
                                                        • DrawMenuBar.USER32 ref: 005D3D63
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Menu$CreateItem$DrawInfoInsertPopup
                                                        • String ID: 0$F
                                                        • API String ID: 161812096-3044882817
                                                        • Opcode ID: acf7e04358c397b1ad53422f8eed8dbd23811be0164b1493058115d5ab1cdcba
                                                        • Instruction ID: 64cf568ab539e5758b0e66583c56aef94bf07b643a66f8a4b101c07665661595
                                                        • Opcode Fuzzy Hash: acf7e04358c397b1ad53422f8eed8dbd23811be0164b1493058115d5ab1cdcba
                                                        • Instruction Fuzzy Hash: BF416C75A0220AAFDB24DF64E844ADA7FB6FF49350F14042BE94697360D730AA14DF91
                                                        Function 005A1EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00549CB3: _wcslen.LIBCMT ref: 00549CBD
                                                          • Part of subcall function 005A3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 005A3CCA
                                                        • SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 005A1F64
                                                        • GetDlgCtrlID.USER32 ref: 005A1F6F
                                                        • GetParent.USER32 ref: 005A1F8B
                                                        • SendMessageW.USER32(00000000,?,00000111,?), ref: 005A1F8E
                                                        • GetDlgCtrlID.USER32(?), ref: 005A1F97
                                                        • GetParent.USER32(?), ref: 005A1FAB
                                                        • SendMessageW.USER32(00000000,?,00000111,?), ref: 005A1FAE
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$CtrlParent$ClassName_wcslen
                                                        • String ID: ComboBox$ListBox
                                                        • API String ID: 711023334-1403004172
                                                        • Opcode ID: 1c39a2ac0808c8550bccefced919f96b682f14cc60eb778465136f50dd5ddcae
                                                        • Instruction ID: 5e076cc961b8dc08ecfae5cf6464e87ed311b38366b03672ee940e2bcd11fc57
                                                        • Opcode Fuzzy Hash: 1c39a2ac0808c8550bccefced919f96b682f14cc60eb778465136f50dd5ddcae
                                                        • Instruction Fuzzy Hash: 1921BE74940215BFCF14AFA4DC999EEBFB9FF56314F000116B961AB2E1CB349908DB64
                                                        Function 005D3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 005D3A9D
                                                        • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 005D3AA0
                                                        • GetWindowLongW.USER32(?,000000F0), ref: 005D3AC7
                                                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 005D3AEA
                                                        • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 005D3B62
                                                        • SendMessageW.USER32(?,00001074,00000000,00000007), ref: 005D3BAC
                                                        • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 005D3BC7
                                                        • SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 005D3BE2
                                                        • SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 005D3BF6
                                                        • SendMessageW.USER32(?,00001008,00000000,00000007), ref: 005D3C13
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$LongWindow
                                                        • String ID:
                                                        • API String ID: 312131281-0
                                                        • Opcode ID: e10de60e64f9281371b6116bca6f390c81be0dcccdc8449547d8a2c35d75dc57
                                                        • Instruction ID: 812b49c62cd8dbd12dec98cff75d359975f0f3c83e2790951370b0e255e92d0a
                                                        • Opcode Fuzzy Hash: e10de60e64f9281371b6116bca6f390c81be0dcccdc8449547d8a2c35d75dc57
                                                        • Instruction Fuzzy Hash: 34615975900208AFDB20DF68CC81EEE7BB8FB49700F14459AEA15AB3A1D770AE45DB50
                                                        Function 00572C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _free.LIBCMT ref: 00572C94
                                                          • Part of subcall function 005729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0057D7D1,00000000,00000000,00000000,00000000,?,0057D7F8,00000000,00000007,00000000,?,0057DBF5,00000000), ref: 005729DE
                                                          • Part of subcall function 005729C8: GetLastError.KERNEL32(00000000,?,0057D7D1,00000000,00000000,00000000,00000000,?,0057D7F8,00000000,00000007,00000000,?,0057DBF5,00000000,00000000), ref: 005729F0
                                                        • _free.LIBCMT ref: 00572CA0
                                                        • _free.LIBCMT ref: 00572CAB
                                                        • _free.LIBCMT ref: 00572CB6
                                                        • _free.LIBCMT ref: 00572CC1
                                                        • _free.LIBCMT ref: 00572CCC
                                                        • _free.LIBCMT ref: 00572CD7
                                                        • _free.LIBCMT ref: 00572CE2
                                                        • _free.LIBCMT ref: 00572CED
                                                        • _free.LIBCMT ref: 00572CFB
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: _free$ErrorFreeHeapLast
                                                        • String ID:
                                                        • API String ID: 776569668-0
                                                        • Opcode ID: 5be67a9c8bde7f22790e4e6e79d37cf1b24e3d8da39e890b7f48f60c25e0a269
                                                        • Instruction ID: 4166c97eae9d9a88f040eed8579b1bc27e46ea656c70f93179ece415442161ba
                                                        • Opcode Fuzzy Hash: 5be67a9c8bde7f22790e4e6e79d37cf1b24e3d8da39e890b7f48f60c25e0a269
                                                        • Instruction Fuzzy Hash: 7D119676100109AFCB02EF64E846CDD7FA5FF45350F4584A5FA4C5B222D631EED0AB90
                                                        Function 005B7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 005B7FAD
                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 005B7FC1
                                                        • GetFileAttributesW.KERNEL32(?), ref: 005B7FEB
                                                        • SetFileAttributesW.KERNEL32(?,00000000), ref: 005B8005
                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 005B8017
                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 005B8060
                                                        • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 005B80B0
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: CurrentDirectory$AttributesFile
                                                        • String ID: *.*
                                                        • API String ID: 769691225-438819550
                                                        • Opcode ID: c27c8c67d5ae2bdd7bb935cd6450fe5bc1e102a561f6f18e2fa21e8041f5c587
                                                        • Instruction ID: 550cebcf3cc8211698b52bf39f76756dd39e6310291a4dbd5820f8537195b985
                                                        • Opcode Fuzzy Hash: c27c8c67d5ae2bdd7bb935cd6450fe5bc1e102a561f6f18e2fa21e8041f5c587
                                                        • Instruction Fuzzy Hash: D6817E725082499BCB20EF24C4499EABBE8BFC9354F144C5AF885D7250EB35ED49CB52
                                                        Function 00545BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetWindowLongW.USER32(?,000000EB), ref: 00545C7A
                                                          • Part of subcall function 00545D0A: GetClientRect.USER32(?,?), ref: 00545D30
                                                          • Part of subcall function 00545D0A: GetWindowRect.USER32(?,?), ref: 00545D71
                                                          • Part of subcall function 00545D0A: ScreenToClient.USER32(?,?), ref: 00545D99
                                                        • GetDC.USER32 ref: 005846F5
                                                        • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00584708
                                                        • SelectObject.GDI32(00000000,00000000), ref: 00584716
                                                        • SelectObject.GDI32(00000000,00000000), ref: 0058472B
                                                        • ReleaseDC.USER32(?,00000000), ref: 00584733
                                                        • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 005847C4
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                        • String ID: U
                                                        • API String ID: 4009187628-3372436214
                                                        • Opcode ID: 714dbfd7529aa22dec5342d9483b47b523aae575504a7887e98126b5cee67d68
                                                        • Instruction ID: 478a496523f5739063194248a87cc5296766b2f60638f69c55336cd5d28b8023
                                                        • Opcode Fuzzy Hash: 714dbfd7529aa22dec5342d9483b47b523aae575504a7887e98126b5cee67d68
                                                        • Instruction Fuzzy Hash: 7F71F430400206DFCF21AF64C984AFA7FB5FF4A354F18466AED55AA266D3318C42DF50
                                                        Function 005B359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 005B35E4
                                                          • Part of subcall function 00549CB3: _wcslen.LIBCMT ref: 00549CBD
                                                        • LoadStringW.USER32(00612390,?,00000FFF,?), ref: 005B360A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: LoadString$_wcslen
                                                        • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                        • API String ID: 4099089115-2391861430
                                                        • Opcode ID: dd1dbfee14c1bc8ad4cabd99f70eae5af3e326fea1edb418a6f6ba89385f8a51
                                                        • Instruction ID: 9ddd482d9f282d7c78046c85a50cffa114bbbcda1a31fc44baa608710173bbe9
                                                        • Opcode Fuzzy Hash: dd1dbfee14c1bc8ad4cabd99f70eae5af3e326fea1edb418a6f6ba89385f8a51
                                                        • Instruction Fuzzy Hash: 11516D7284021AAADF14EFA0DC4AEEEBF79FF45304F144125F505721A2DB302B99DBA1
                                                        Function 005BC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 005BC272
                                                        • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 005BC29A
                                                        • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 005BC2CA
                                                        • GetLastError.KERNEL32 ref: 005BC322
                                                        • SetEvent.KERNEL32(?), ref: 005BC336
                                                        • InternetCloseHandle.WININET(00000000), ref: 005BC341
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                        • String ID:
                                                        • API String ID: 3113390036-3916222277
                                                        • Opcode ID: efbb4e3ffbab42bb7d8dd10fdd49718b3980db5ddd0d3efb609939ae2279e5d4
                                                        • Instruction ID: fb2c9c0d2bfc40ec943a801f72da8bb1ff8508c712101cd9549d2000466ca62d
                                                        • Opcode Fuzzy Hash: efbb4e3ffbab42bb7d8dd10fdd49718b3980db5ddd0d3efb609939ae2279e5d4
                                                        • Instruction Fuzzy Hash: 6A317FB5601609AFD7219F648C88AEB7FFCFB59744B54891EF486D2200DB34ED089B64
                                                        Function 005A989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00583AAF,?,?,Bad directive syntax error,005DCC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 005A98BC
                                                        • LoadStringW.USER32(00000000,?,00583AAF,?), ref: 005A98C3
                                                          • Part of subcall function 00549CB3: _wcslen.LIBCMT ref: 00549CBD
                                                        • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 005A9987
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: HandleLoadMessageModuleString_wcslen
                                                        • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                        • API String ID: 858772685-4153970271
                                                        • Opcode ID: f2b32199e5c8427270e6a733436745642f0e1de16187a82614a5ad48cb23ef6e
                                                        • Instruction ID: f6259c1a90bb9a456eabe2bfc7b3da696dc115bf80427ce93fa91bb72dbdc48c
                                                        • Opcode Fuzzy Hash: f2b32199e5c8427270e6a733436745642f0e1de16187a82614a5ad48cb23ef6e
                                                        • Instruction Fuzzy Hash: 8721713284021BFBDF15AF90CC0AEEE7B75BF54304F04442AF515650A2DB719A68DB50
                                                        Function 005A209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetParent.USER32 ref: 005A20AB
                                                        • GetClassNameW.USER32(00000000,?,00000100), ref: 005A20C0
                                                        • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 005A214D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: ClassMessageNameParentSend
                                                        • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                        • API String ID: 1290815626-3381328864
                                                        • Opcode ID: 628cc50384f2eeaa7fa4ef998e705aab32efd69e24c67aeca7a077851f1a1007
                                                        • Instruction ID: f6d39feed8b41f48a4fa06d2d2bda0607242f613c6b3d7574b0fc5b779179b87
                                                        • Opcode Fuzzy Hash: 628cc50384f2eeaa7fa4ef998e705aab32efd69e24c67aeca7a077851f1a1007
                                                        • Instruction Fuzzy Hash: D911E7766C8707BAFA156228DC1BDAB3F9DEB16324F21011AF705A50D1EA61A841DA14
                                                        Function 0057CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: _free$EnvironmentVariable___from_strstr_to_strchr
                                                        • String ID:
                                                        • API String ID: 1282221369-0
                                                        • Opcode ID: 398894d47f5840ad9509cef7599cc1019ada3967781c7b5ef298d594c4c4fbbc
                                                        • Instruction ID: 26d3bf17be42c438aef510ae1e040ff2b0c419018180e005eb104d7730bbaacb
                                                        • Opcode Fuzzy Hash: 398894d47f5840ad9509cef7599cc1019ada3967781c7b5ef298d594c4c4fbbc
                                                        • Instruction Fuzzy Hash: 0761F771904301AFDF21AFB4BC59AA97FA5BF45310F08C16EF94D97241E6319D41BB60
                                                        Function 005D50D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageW.USER32(?,00002001,00000000,00000000), ref: 005D5186
                                                        • ShowWindow.USER32(?,00000000), ref: 005D51C7
                                                        • ShowWindow.USER32(?,00000005,?,00000000), ref: 005D51CD
                                                        • SetFocus.USER32(?,?,00000005,?,00000000), ref: 005D51D1
                                                          • Part of subcall function 005D6FBA: DeleteObject.GDI32(00000000), ref: 005D6FE6
                                                        • GetWindowLongW.USER32(?,000000F0), ref: 005D520D
                                                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 005D521A
                                                        • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 005D524D
                                                        • SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 005D5287
                                                        • SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 005D5296
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
                                                        • String ID:
                                                        • API String ID: 3210457359-0
                                                        • Opcode ID: fe14ef105e5cbb555a226f12dec34e851ddd7ead94ef777278e64011fe0fc836
                                                        • Instruction ID: d94177896c834cf0686c4f2e30994e3fdce9caa166e51427c57630cc9ff6dd34
                                                        • Opcode Fuzzy Hash: fe14ef105e5cbb555a226f12dec34e851ddd7ead94ef777278e64011fe0fc836
                                                        • Instruction Fuzzy Hash: 4F518D34A51A09EEEB309F6CCC49B983F65FB05361F144113FA659A3E0E775A988DB40
                                                        Function 00558B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00596890
                                                        • ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 005968A9
                                                        • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 005968B9
                                                        • ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 005968D1
                                                        • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 005968F2
                                                        • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00558874,00000000,00000000,00000000,000000FF,00000000), ref: 00596901
                                                        • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0059691E
                                                        • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00558874,00000000,00000000,00000000,000000FF,00000000), ref: 0059692D
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Icon$DestroyExtractImageLoadMessageSend
                                                        • String ID:
                                                        • API String ID: 1268354404-0
                                                        • Opcode ID: fdcea42c1a5207feaad4d63049a5aa735d51cd756db21697b52eb8810f058299
                                                        • Instruction ID: 795ef8ddc953156bf3fdf13cccfa745d4ed1f3d787e523a8293d6a9857e7086b
                                                        • Opcode Fuzzy Hash: fdcea42c1a5207feaad4d63049a5aa735d51cd756db21697b52eb8810f058299
                                                        • Instruction Fuzzy Hash: 3E516A70600206EFDF20CF24CC65BAA7FBAFB94761F10451AF952A62A0DB70E958DB50
                                                        Function 005BC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 005BC182
                                                        • GetLastError.KERNEL32 ref: 005BC195
                                                        • SetEvent.KERNEL32(?), ref: 005BC1A9
                                                          • Part of subcall function 005BC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 005BC272
                                                          • Part of subcall function 005BC253: GetLastError.KERNEL32 ref: 005BC322
                                                          • Part of subcall function 005BC253: SetEvent.KERNEL32(?), ref: 005BC336
                                                          • Part of subcall function 005BC253: InternetCloseHandle.WININET(00000000), ref: 005BC341
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
                                                        • String ID:
                                                        • API String ID: 337547030-0
                                                        • Opcode ID: a19798fca80090362e12a5448b1da61a0e1d0ac33c979d49624955fc0d0f4bdb
                                                        • Instruction ID: 230f9225ac5e5690dfe28af5e552375c2a6e5de6e56183030621a7a3f0a0406d
                                                        • Opcode Fuzzy Hash: a19798fca80090362e12a5448b1da61a0e1d0ac33c979d49624955fc0d0f4bdb
                                                        • Instruction Fuzzy Hash: C3318D75201606AFDB219FA5DC48AA6BFF9FF68300B10481EF996C6610D730F814EBA4
                                                        Function 005A25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 005A3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 005A3A57
                                                          • Part of subcall function 005A3A3D: GetCurrentThreadId.KERNEL32 ref: 005A3A5E
                                                          • Part of subcall function 005A3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,005A25B3), ref: 005A3A65
                                                        • MapVirtualKeyW.USER32(00000025,00000000), ref: 005A25BD
                                                        • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 005A25DB
                                                        • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 005A25DF
                                                        • MapVirtualKeyW.USER32(00000025,00000000), ref: 005A25E9
                                                        • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 005A2601
                                                        • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 005A2605
                                                        • MapVirtualKeyW.USER32(00000025,00000000), ref: 005A260F
                                                        • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 005A2623
                                                        • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 005A2627
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                        • String ID:
                                                        • API String ID: 2014098862-0
                                                        • Opcode ID: 573ab52a7aaaf21aa966ebde85ca511f1b61f498c1bd2c1a6e03903ae6636c75
                                                        • Instruction ID: 11bd333979736c4e5d8322b8a81880e549032a5fc95719960b565e7dbafd270a
                                                        • Opcode Fuzzy Hash: 573ab52a7aaaf21aa966ebde85ca511f1b61f498c1bd2c1a6e03903ae6636c75
                                                        • Instruction Fuzzy Hash: 2501B130690221BBFB2067699C8EF593F59EB9EB12F100003F318AF0D1C9F26448DA69
                                                        Function 005A1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,005A1449,?,?,00000000), ref: 005A180C
                                                        • HeapAlloc.KERNEL32(00000000,?,005A1449,?,?,00000000), ref: 005A1813
                                                        • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,005A1449,?,?,00000000), ref: 005A1828
                                                        • GetCurrentProcess.KERNEL32(?,00000000,?,005A1449,?,?,00000000), ref: 005A1830
                                                        • DuplicateHandle.KERNEL32(00000000,?,005A1449,?,?,00000000), ref: 005A1833
                                                        • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,005A1449,?,?,00000000), ref: 005A1843
                                                        • GetCurrentProcess.KERNEL32(005A1449,00000000,?,005A1449,?,?,00000000), ref: 005A184B
                                                        • DuplicateHandle.KERNEL32(00000000,?,005A1449,?,?,00000000), ref: 005A184E
                                                        • CreateThread.KERNEL32(00000000,00000000,005A1874,00000000,00000000,00000000), ref: 005A1868
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                        • String ID:
                                                        • API String ID: 1957940570-0
                                                        • Opcode ID: 4468f4ad2e30c54a36dc66bb892d3704637a734843d27389e190392f85e34d20
                                                        • Instruction ID: 0172b065dfa425286af97bd7e940016711bbf9040a9e72e3566f9074775681c5
                                                        • Opcode Fuzzy Hash: 4468f4ad2e30c54a36dc66bb892d3704637a734843d27389e190392f85e34d20
                                                        • Instruction Fuzzy Hash: 0D01BBB5281319BFE720ABA5DC4DF6B3FACEB99B11F004412FA05DB1A1CA749804DB20
                                                        Function 00573E80 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 305COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: __alldvrm$_strrchr
                                                        • String ID: }}V$}}V$}}V
                                                        • API String ID: 1036877536-3343012335
                                                        • Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
                                                        • Instruction ID: a0a1810ff1e11f91a3a940495fca301c2a8bf7bf191e27904596afa66de47390
                                                        • Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
                                                        • Instruction Fuzzy Hash: E8A16871E007869FDB11DF18D8957AEBFE4FF61350F18816DE5999B281C3388981EB50
                                                        Function 005CA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 005AD4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 005AD501
                                                          • Part of subcall function 005AD4DC: Process32FirstW.KERNEL32(00000000,?), ref: 005AD50F
                                                          • Part of subcall function 005AD4DC: CloseHandle.KERNEL32(00000000), ref: 005AD5DC
                                                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 005CA16D
                                                        • GetLastError.KERNEL32 ref: 005CA180
                                                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 005CA1B3
                                                        • TerminateProcess.KERNEL32(00000000,00000000), ref: 005CA268
                                                        • GetLastError.KERNEL32(00000000), ref: 005CA273
                                                        • CloseHandle.KERNEL32(00000000), ref: 005CA2C4
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                        • String ID: SeDebugPrivilege
                                                        • API String ID: 2533919879-2896544425
                                                        • Opcode ID: 0cded7ad77e38862f342d606b3f808a94e3ead13b854a778c3b41f64887db641
                                                        • Instruction ID: 91d6f349da7ee07cec0608798c330cdfc36ad32fbb6c7923aba126b0e09212f3
                                                        • Opcode Fuzzy Hash: 0cded7ad77e38862f342d606b3f808a94e3ead13b854a778c3b41f64887db641
                                                        • Instruction Fuzzy Hash: F1619D34205242AFD720DF58C498F19BFA1BF9431CF18848CE4568B7A2C776EC49CB92
                                                        Function 005D3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 005D3925
                                                        • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 005D393A
                                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 005D3954
                                                        • _wcslen.LIBCMT ref: 005D3999
                                                        • SendMessageW.USER32(?,00001057,00000000,?), ref: 005D39C6
                                                        • SendMessageW.USER32(?,00001061,?,0000000F), ref: 005D39F4
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$Window_wcslen
                                                        • String ID: SysListView32
                                                        • API String ID: 2147712094-78025650
                                                        • Opcode ID: 39c592a52c63e968c33b5f1fd1ee25d987d09a9188665a503ab87222cb3dd9c5
                                                        • Instruction ID: 8465d7c82b2f7a7e7a8a4d5eef3ffbe8af345ae0985f051c5c72cd937b70b332
                                                        • Opcode Fuzzy Hash: 39c592a52c63e968c33b5f1fd1ee25d987d09a9188665a503ab87222cb3dd9c5
                                                        • Instruction Fuzzy Hash: 6F418271A00219ABEB319F68CC49BEA7FA9FF48350F100527F958E7291D771DA84DB90
                                                        Function 005ABC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 005ABCFD
                                                        • IsMenu.USER32(00000000), ref: 005ABD1D
                                                        • CreatePopupMenu.USER32 ref: 005ABD53
                                                        • GetMenuItemCount.USER32(00EA4AB8), ref: 005ABDA4
                                                        • InsertMenuItemW.USER32(00EA4AB8,?,00000001,00000030), ref: 005ABDCC
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Menu$Item$CountCreateInfoInsertPopup
                                                        • String ID: 0$2
                                                        • API String ID: 93392585-3793063076
                                                        • Opcode ID: 532316a796d89e6edcc9f9492a93c8af23c64fa57f0f2638a151dfa63b43daf1
                                                        • Instruction ID: 6940edf836c68d2f07b53a72f742ab309f94ba9fdb2ed0054e4dda0394d87d7d
                                                        • Opcode Fuzzy Hash: 532316a796d89e6edcc9f9492a93c8af23c64fa57f0f2638a151dfa63b43daf1
                                                        • Instruction Fuzzy Hash: 3251B270A002069BEF20CFB8D888BAEBFF4BF57314F14465AE401DB292D7719944CB91
                                                        Function 00562D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _ValidateLocalCookies.LIBCMT ref: 00562D4B
                                                        • ___except_validate_context_record.LIBVCRUNTIME ref: 00562D53
                                                        • _ValidateLocalCookies.LIBCMT ref: 00562DE1
                                                        • __IsNonwritableInCurrentImage.LIBCMT ref: 00562E0C
                                                        • _ValidateLocalCookies.LIBCMT ref: 00562E61
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                        • String ID: &HV$csm
                                                        • API String ID: 1170836740-3780476894
                                                        • Opcode ID: 6ec6d90468bd4e88f66735c1a0cde0490858cc03498c1c4678e393c4556604f5
                                                        • Instruction ID: 8d122fcd2746a80df187c4afa5a5cf9bff9f568d57d29818f16f634bc7c71b19
                                                        • Opcode Fuzzy Hash: 6ec6d90468bd4e88f66735c1a0cde0490858cc03498c1c4678e393c4556604f5
                                                        • Instruction Fuzzy Hash: C741D634E0160AABCF10DF68C845ADEBFB5BF85324F148155E815AB392D7319E06CBD0
                                                        Function 005AC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadIconW.USER32(00000000,00007F03), ref: 005AC913
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: IconLoad
                                                        • String ID: blank$info$question$stop$warning
                                                        • API String ID: 2457776203-404129466
                                                        • Opcode ID: 086bf32faa9d046b382dc6a15b43d2aed0aafe4773f2a8e0ece31a04bd96d265
                                                        • Instruction ID: 9a39e033fb6b60ab909904ab176ba2959878b11ca32655df863f42264a3dde46
                                                        • Opcode Fuzzy Hash: 086bf32faa9d046b382dc6a15b43d2aed0aafe4773f2a8e0ece31a04bd96d265
                                                        • Instruction Fuzzy Hash: D4110236689307BEE7159B54DC82CAF2FDCFF16724B20042FF500A62C2E7B4AE405669
                                                        Function 005ADE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
                                                        • String ID: 0.0.0.0
                                                        • API String ID: 642191829-3771769585
                                                        • Opcode ID: 4d89d552dc4e278e6b407cc32687ea51d245c0880ae64b3a7a38b55ebccb202b
                                                        • Instruction ID: 818c71d658f982572c765e8ca8b57869d32cfb647ee19400964628e49f6c34ed
                                                        • Opcode Fuzzy Hash: 4d89d552dc4e278e6b407cc32687ea51d245c0880ae64b3a7a38b55ebccb202b
                                                        • Instruction Fuzzy Hash: 2711D231904116AFCB34BB209C4AEEE7FBCFB62711F00016AF5569A091EF718A859A70
                                                        Function 005AED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: _wcslen$LocalTime
                                                        • String ID:
                                                        • API String ID: 952045576-0
                                                        • Opcode ID: 9e58d35750c9615547abc926bf0745f3cb75d9ab3ba40b2f758270586aae96c9
                                                        • Instruction ID: 7aaf6831f86909ed356149868049c92eb8a5b3a3948bd86a2474cb1e6328d9b4
                                                        • Opcode Fuzzy Hash: 9e58d35750c9615547abc926bf0745f3cb75d9ab3ba40b2f758270586aae96c9
                                                        • Instruction Fuzzy Hash: E241A269D1021975DB11EBF4888E9CFBBBCBF85310F508866E514E3122FB34E285C7A5
                                                        Function 0055F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0059682C,00000004,00000000,00000000), ref: 0055F953
                                                        • ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0059682C,00000004,00000000,00000000), ref: 0059F3D1
                                                        • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0059682C,00000004,00000000,00000000), ref: 0059F454
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: ShowWindow
                                                        • String ID:
                                                        • API String ID: 1268545403-0
                                                        • Opcode ID: 5f9c08d3edd2d39bddb466d21a07ec4e680052d7130ef3e0f2b1983f81e7de68
                                                        • Instruction ID: 78d6dfc01c44200e081ecd2bc5fd245737e88440cad889004922a7a31c93dc41
                                                        • Opcode Fuzzy Hash: 5f9c08d3edd2d39bddb466d21a07ec4e680052d7130ef3e0f2b1983f81e7de68
                                                        • Instruction Fuzzy Hash: B8415231104E40BBCB348B3CD8AC76A7FB1BB96312F14483FE94796560D631948CD711
                                                        Function 005D2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • DeleteObject.GDI32(00000000), ref: 005D2D1B
                                                        • GetDC.USER32(00000000), ref: 005D2D23
                                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 005D2D2E
                                                        • ReleaseDC.USER32(00000000,00000000), ref: 005D2D3A
                                                        • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 005D2D76
                                                        • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 005D2D87
                                                        • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,005D5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 005D2DC2
                                                        • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 005D2DE1
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                        • String ID:
                                                        • API String ID: 3864802216-0
                                                        • Opcode ID: bfec327e8457de59ae15b96f9bd0dc9994bc7ce66af00384df8cf3c46075ad14
                                                        • Instruction ID: b11c761e7761b32c3006c0ffbe2107d703cc96058678fa3fe669aa07ca067bd2
                                                        • Opcode Fuzzy Hash: bfec327e8457de59ae15b96f9bd0dc9994bc7ce66af00384df8cf3c46075ad14
                                                        • Instruction Fuzzy Hash: 04318B72202214BFEB218F548C8AFEB3FA9FF19711F044057FE089A291C6759C41CBA0
                                                        Function 005A5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: _memcmp
                                                        • String ID:
                                                        • API String ID: 2931989736-0
                                                        • Opcode ID: 2301489eac019e8449032379de87aca07074f26c1716ca231cfaba68480dadaf
                                                        • Instruction ID: 7646d58831543efac81ed2f594617e079ff7adc199669d4ab32ba5246151091b
                                                        • Opcode Fuzzy Hash: 2301489eac019e8449032379de87aca07074f26c1716ca231cfaba68480dadaf
                                                        • Instruction Fuzzy Hash: 0C219871744E06B7922455145E86FBE3F5CBE62385B444822FD175B741F720ED1082A9
                                                        Function 005C4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: NULL Pointer assignment$Not an Object type
                                                        • API String ID: 0-572801152
                                                        • Opcode ID: 4ed76feba4d8d549589f2e77c6edd6226d5c5284ec70f8099a2a50aa227af64c
                                                        • Instruction ID: cb1d0b7eadeb0246ada8f96d4c71d0bef1e26ff4a6bc0e3228b0f961177994eb
                                                        • Opcode Fuzzy Hash: 4ed76feba4d8d549589f2e77c6edd6226d5c5284ec70f8099a2a50aa227af64c
                                                        • Instruction Fuzzy Hash: 9CD17F75A0060A9FDF10CFE8C885FAEBBB5BF48344F14856DE915AB281E770AD85CB50
                                                        Function 00581522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,005817FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 005815CE
                                                        • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,005817FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00581651
                                                        • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,005817FB,?,005817FB,00000000,00000000,?,00000000,?,?,?,?), ref: 005816E4
                                                        • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,005817FB,00000000,00000000,?,00000000,?,?,?,?), ref: 005816FB
                                                          • Part of subcall function 00573820: RtlAllocateHeap.NTDLL(00000000,?,00611444,?,0055FDF5,?,?,0054A976,00000010,00611440,005413FC,?,005413C6,?,00541129), ref: 00573852
                                                        • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,005817FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00581777
                                                        • __freea.LIBCMT ref: 005817A2
                                                        • __freea.LIBCMT ref: 005817AE
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
                                                        • String ID:
                                                        • API String ID: 2829977744-0
                                                        • Opcode ID: 150dc2924e8894df8c56884a0ce6dddafc712bc44c5411bb5174bf3c490c2534
                                                        • Instruction ID: f80dd475a99d9faeafe562b72f926b49d0834c62c258f341c1704c15669b9eea
                                                        • Opcode Fuzzy Hash: 150dc2924e8894df8c56884a0ce6dddafc712bc44c5411bb5174bf3c490c2534
                                                        • Instruction Fuzzy Hash: 7E91B271E00A169ADB20AE64D885AEE7FB9FF49310F184659EC06F7181DB35CC42CB64
                                                        Function 005C4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Variant$ClearInit
                                                        • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                        • API String ID: 2610073882-625585964
                                                        • Opcode ID: 7a54c7dc5a197da9a218068cee5343b12214f32fcf43b2736159fe6dabad0c02
                                                        • Instruction ID: bfcf9001bb8c948a20f8bba947d802e4eee30e128841d422e81322897f6ae10e
                                                        • Opcode Fuzzy Hash: 7a54c7dc5a197da9a218068cee5343b12214f32fcf43b2736159fe6dabad0c02
                                                        • Instruction Fuzzy Hash: D8914971A00219AFDF24CFA4C858FAEBBB8FF46715F10855EE505AB281D7709945CFA0
                                                        Function 005B1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 005B125C
                                                        • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 005B1284
                                                        • SafeArrayUnaccessData.OLEAUT32(00000001), ref: 005B12A8
                                                        • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 005B12D8
                                                        • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 005B135F
                                                        • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 005B13C4
                                                        • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 005B1430
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: ArraySafe$Data$Access$UnaccessVartype
                                                        • String ID:
                                                        • API String ID: 2550207440-0
                                                        • Opcode ID: 6b8a8d2f7fba7fd9af724529b48a8a9cc48cf905260e9f4438005d748ca2371f
                                                        • Instruction ID: 4d24594cce8a94778ba14d1e3531a4877f196b7060da49c79d452a9d18788089
                                                        • Opcode Fuzzy Hash: 6b8a8d2f7fba7fd9af724529b48a8a9cc48cf905260e9f4438005d748ca2371f
                                                        • Instruction Fuzzy Hash: 2F91F17590060A9FDB409F94C8A9BFEBFB5FF85315F10442AE900EB291D774B941CB94
                                                        Function 0055948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: ObjectSelect$BeginCreatePath
                                                        • String ID:
                                                        • API String ID: 3225163088-0
                                                        • Opcode ID: f6813842f75446ca7f9d22aa06d5a6f616f34ab9ae5314b6b38b4c24b205cdfe
                                                        • Instruction ID: 5985bd591d95b7b5d2299cb8d47ffd673d0802e24f85abf987fe2a4cc7e159b8
                                                        • Opcode Fuzzy Hash: f6813842f75446ca7f9d22aa06d5a6f616f34ab9ae5314b6b38b4c24b205cdfe
                                                        • Instruction Fuzzy Hash: 8191177190021AEFCB10CFA9C888AEEBFB8FF49321F144556E915B7251D378A955CB60
                                                        Function 005C3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • VariantInit.OLEAUT32(?), ref: 005C396B
                                                        • CharUpperBuffW.USER32(?,?), ref: 005C3A7A
                                                        • _wcslen.LIBCMT ref: 005C3A8A
                                                        • VariantClear.OLEAUT32(?), ref: 005C3C1F
                                                          • Part of subcall function 005B0CDF: VariantInit.OLEAUT32(00000000), ref: 005B0D1F
                                                          • Part of subcall function 005B0CDF: VariantCopy.OLEAUT32(?,?), ref: 005B0D28
                                                          • Part of subcall function 005B0CDF: VariantClear.OLEAUT32(?), ref: 005B0D34
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
                                                        • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                        • API String ID: 4137639002-1221869570
                                                        • Opcode ID: dc54ea89e4d42e4dde49713f3625910c874e29ccb31a666a3e34a34ef4432042
                                                        • Instruction ID: f57ff495e2986983109008bcc801498c81cc3274f2db872eb148cdbfdef707b8
                                                        • Opcode Fuzzy Hash: dc54ea89e4d42e4dde49713f3625910c874e29ccb31a666a3e34a34ef4432042
                                                        • Instruction Fuzzy Hash: 91916A756083069FC704DF68C48596ABBE4FF88318F14892EF8899B351DB31EE05CB92
                                                        Function 005C4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 005A000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0059FF41,80070057,?,?,?,005A035E), ref: 005A002B
                                                          • Part of subcall function 005A000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0059FF41,80070057,?,?), ref: 005A0046
                                                          • Part of subcall function 005A000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0059FF41,80070057,?,?), ref: 005A0054
                                                          • Part of subcall function 005A000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0059FF41,80070057,?), ref: 005A0064
                                                        • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 005C4C51
                                                        • _wcslen.LIBCMT ref: 005C4D59
                                                        • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 005C4DCF
                                                        • CoTaskMemFree.OLE32(?), ref: 005C4DDA
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
                                                        • String ID: NULL Pointer assignment
                                                        • API String ID: 614568839-2785691316
                                                        • Opcode ID: 47e8ead51f5ef78327d61c41a9e68d4dd50230a6b77894964129a35aca8b4814
                                                        • Instruction ID: 5c596cf6cb37b5c91439c8e94e0d55470de13e9c76065eaf95ab6829f54652b1
                                                        • Opcode Fuzzy Hash: 47e8ead51f5ef78327d61c41a9e68d4dd50230a6b77894964129a35aca8b4814
                                                        • Instruction Fuzzy Hash: 84911571D0021AAFDF14DFE4D895EEEBBB8BF48304F10856AE915A7251DB309A44CF61
                                                        Function 005D20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetMenu.USER32(?), ref: 005D2183
                                                        • GetMenuItemCount.USER32(00000000), ref: 005D21B5
                                                        • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 005D21DD
                                                        • _wcslen.LIBCMT ref: 005D2213
                                                        • GetMenuItemID.USER32(?,?), ref: 005D224D
                                                        • GetSubMenu.USER32(?,?), ref: 005D225B
                                                          • Part of subcall function 005A3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 005A3A57
                                                          • Part of subcall function 005A3A3D: GetCurrentThreadId.KERNEL32 ref: 005A3A5E
                                                          • Part of subcall function 005A3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,005A25B3), ref: 005A3A65
                                                        • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 005D22E3
                                                          • Part of subcall function 005AE97B: Sleep.KERNELBASE ref: 005AE9F3
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
                                                        • String ID:
                                                        • API String ID: 4196846111-0
                                                        • Opcode ID: e0adaede80de3861f889adc0224bb48d02154dd2199cfd6df9a11182f4a96e8c
                                                        • Instruction ID: 3ea5ab8c124b93de11402804b65268fb50b2f1993991ac46043f103e7e50c87b
                                                        • Opcode Fuzzy Hash: e0adaede80de3861f889adc0224bb48d02154dd2199cfd6df9a11182f4a96e8c
                                                        • Instruction Fuzzy Hash: 03715E75A00216AFCB20DFA8C845AAEBFB5FF98310F14845AE916EB351D735E941CB90
                                                        Function 005D7E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • IsWindow.USER32(00EA4D88), ref: 005D7F37
                                                        • IsWindowEnabled.USER32(00EA4D88), ref: 005D7F43
                                                        • SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 005D801E
                                                        • SendMessageW.USER32(00EA4D88,000000B0,?,?), ref: 005D8051
                                                        • IsDlgButtonChecked.USER32(?,?), ref: 005D8089
                                                        • GetWindowLongW.USER32(00EA4D88,000000EC), ref: 005D80AB
                                                        • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 005D80C3
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                        • String ID:
                                                        • API String ID: 4072528602-0
                                                        • Opcode ID: 2c6ab668965cf90d2345403a3fa018af5f307c7bf500ba6fe1eb712a053c47c4
                                                        • Instruction ID: 96ef508ee90f8d0c16d051874d71acd5c59c0bed0faa157a7d70ef0a7108a142
                                                        • Opcode Fuzzy Hash: 2c6ab668965cf90d2345403a3fa018af5f307c7bf500ba6fe1eb712a053c47c4
                                                        • Instruction Fuzzy Hash: 5971A03460924AAFEB319F68C884FBABFB5FF19300F14445BE95597361DB31A848DB10
                                                        Function 005AAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetParent.USER32(?), ref: 005AAEF9
                                                        • GetKeyboardState.USER32(?), ref: 005AAF0E
                                                        • SetKeyboardState.USER32(?), ref: 005AAF6F
                                                        • PostMessageW.USER32(?,00000101,00000010,?), ref: 005AAF9D
                                                        • PostMessageW.USER32(?,00000101,00000011,?), ref: 005AAFBC
                                                        • PostMessageW.USER32(?,00000101,00000012,?), ref: 005AAFFD
                                                        • PostMessageW.USER32(?,00000101,0000005B,?), ref: 005AB020
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: MessagePost$KeyboardState$Parent
                                                        • String ID:
                                                        • API String ID: 87235514-0
                                                        • Opcode ID: 7742eb3656212c001618afcb510779b3fb6be197abdedafd4c90ea5ece3995b8
                                                        • Instruction ID: 065dd5b75b43a3287fe8aa8baea714a9fde307e1c938dd32e89afaced4eb6d76
                                                        • Opcode Fuzzy Hash: 7742eb3656212c001618afcb510779b3fb6be197abdedafd4c90ea5ece3995b8
                                                        • Instruction Fuzzy Hash: DC5181A06047D63DFB3682348C49BBEBEA97F47304F08858AE1D9558C3D799ACC8D791
                                                        Function 005AACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetParent.USER32(00000000), ref: 005AAD19
                                                        • GetKeyboardState.USER32(?), ref: 005AAD2E
                                                        • SetKeyboardState.USER32(?), ref: 005AAD8F
                                                        • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 005AADBB
                                                        • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 005AADD8
                                                        • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 005AAE17
                                                        • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 005AAE38
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: MessagePost$KeyboardState$Parent
                                                        • String ID:
                                                        • API String ID: 87235514-0
                                                        • Opcode ID: 45cd1092d8b1e3b066478f6493035b5d01dd83952e71f7e62e268a25b3ef730c
                                                        • Instruction ID: 40e274b9701b5300cefc9cc58821f6f9ee72b7429b52f70750b5f75ed9b4fe98
                                                        • Opcode Fuzzy Hash: 45cd1092d8b1e3b066478f6493035b5d01dd83952e71f7e62e268a25b3ef730c
                                                        • Instruction Fuzzy Hash: BF51B1A15047D63DFB3782248C55B7EBEA97B47300F088589E1D55A8C2D394EC88E7A2
                                                        Function 0057542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • GetConsoleCP.KERNEL32(00583CD6,?,?,?,?,?,?,?,?,00575BA3,?,?,00583CD6,?,?), ref: 00575470
                                                        • __fassign.LIBCMT ref: 005754EB
                                                        • __fassign.LIBCMT ref: 00575506
                                                        • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00583CD6,00000005,00000000,00000000), ref: 0057552C
                                                        • WriteFile.KERNEL32(?,00583CD6,00000000,00575BA3,00000000,?,?,?,?,?,?,?,?,?,00575BA3,?), ref: 0057554B
                                                        • WriteFile.KERNEL32(?,?,00000001,00575BA3,00000000,?,?,?,?,?,?,?,?,?,00575BA3,?), ref: 00575584
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                        • String ID:
                                                        • API String ID: 1324828854-0
                                                        • Opcode ID: 81a6b76616826f4f74282d30a5cc9e9f201dfd11803810ac671da7cc738b924d
                                                        • Instruction ID: d59209b8b0da40382e8a562c3d04e79368ccabf90c08bbcddb1d64daed39566b
                                                        • Opcode Fuzzy Hash: 81a6b76616826f4f74282d30a5cc9e9f201dfd11803810ac671da7cc738b924d
                                                        • Instruction Fuzzy Hash: BE51C4709006499FDB10CFA8E845AEEBFF9FF09300F14851AF959E7291E7709A41DB60
                                                        Function 005C10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 005C304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 005C307A
                                                          • Part of subcall function 005C304E: _wcslen.LIBCMT ref: 005C309B
                                                        • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 005C1112
                                                        • WSAGetLastError.WSOCK32 ref: 005C1121
                                                        • WSAGetLastError.WSOCK32 ref: 005C11C9
                                                        • closesocket.WSOCK32(00000000), ref: 005C11F9
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
                                                        • String ID:
                                                        • API String ID: 2675159561-0
                                                        • Opcode ID: 5d1dc674631960fd0b17348807f8261d67bcefe0f1d99fae2c29c6d1a1677ebc
                                                        • Instruction ID: f69c016c7767d55ab902776de3d8570be44122e9fc052730f80dc4e2e1a3ddde
                                                        • Opcode Fuzzy Hash: 5d1dc674631960fd0b17348807f8261d67bcefe0f1d99fae2c29c6d1a1677ebc
                                                        • Instruction Fuzzy Hash: E341D331600605AFDB109F54C848FA9BFE9FF86324F18815AFD169B292C774ED45CBA4
                                                        Function 005ACF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 005ADDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,005ACF22,?), ref: 005ADDFD
                                                          • Part of subcall function 005ADDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,005ACF22,?), ref: 005ADE16
                                                        • lstrcmpiW.KERNEL32(?,?), ref: 005ACF45
                                                        • MoveFileW.KERNEL32(?,?), ref: 005ACF7F
                                                        • _wcslen.LIBCMT ref: 005AD005
                                                        • _wcslen.LIBCMT ref: 005AD01B
                                                        • SHFileOperationW.SHELL32(?), ref: 005AD061
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
                                                        • String ID: \*.*
                                                        • API String ID: 3164238972-1173974218
                                                        • Opcode ID: 89a7370ecdaa539919c83456af4aa42eb0b725d6bb0f41df7020d93cef3263a3
                                                        • Instruction ID: ec01e851f9fea4d13dc09c8f4795a018f545638c8e69b9c12fa467582af2591f
                                                        • Opcode Fuzzy Hash: 89a7370ecdaa539919c83456af4aa42eb0b725d6bb0f41df7020d93cef3263a3
                                                        • Instruction Fuzzy Hash: E84167719452195FDF12EFA4D985ADEBFB9BF49340F0000E6E505EB141EB34AA88CB50
                                                        Function 005D2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 005D2E1C
                                                        • GetWindowLongW.USER32(?,000000F0), ref: 005D2E4F
                                                        • GetWindowLongW.USER32(?,000000F0), ref: 005D2E84
                                                        • SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 005D2EB6
                                                        • SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 005D2EE0
                                                        • GetWindowLongW.USER32(?,000000F0), ref: 005D2EF1
                                                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 005D2F0B
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: LongWindow$MessageSend
                                                        • String ID:
                                                        • API String ID: 2178440468-0
                                                        • Opcode ID: 17f1de9aaf4a2afd14bdcb8be762473118209cd4d6f1075b4db0d3e9d211fc8a
                                                        • Instruction ID: 437dfc6e865122382bc1aec3e06ff62069ba16f74979dce6db3738c381a6f1b7
                                                        • Opcode Fuzzy Hash: 17f1de9aaf4a2afd14bdcb8be762473118209cd4d6f1075b4db0d3e9d211fc8a
                                                        • Instruction Fuzzy Hash: C13103306451419FDB31CF1CDC84FA53BA9FBAA710F1845A7FA148F2B1CB61A844DB00
                                                        Function 005A7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 005A7769
                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 005A778F
                                                        • SysAllocString.OLEAUT32(00000000), ref: 005A7792
                                                        • SysAllocString.OLEAUT32(?), ref: 005A77B0
                                                        • SysFreeString.OLEAUT32(?), ref: 005A77B9
                                                        • StringFromGUID2.OLE32(?,?,00000028), ref: 005A77DE
                                                        • SysAllocString.OLEAUT32(?), ref: 005A77EC
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                        • String ID:
                                                        • API String ID: 3761583154-0
                                                        • Opcode ID: 1bcb2e9274c36159ac0dbaa2611f96fbd3deeeadd254441dcebe7d83cb328eea
                                                        • Instruction ID: 1e255b36be88b986b0906f5e054dd8d4aa8c3e2b20dd0431ee07ef8b79a2aaf5
                                                        • Opcode Fuzzy Hash: 1bcb2e9274c36159ac0dbaa2611f96fbd3deeeadd254441dcebe7d83cb328eea
                                                        • Instruction Fuzzy Hash: 2A219C7660921AAFDF10DFA8CC88CBE7BACFB0A3647008526BA14DB150D6709C45C760
                                                        Function 005A77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 005A7842
                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 005A7868
                                                        • SysAllocString.OLEAUT32(00000000), ref: 005A786B
                                                        • SysAllocString.OLEAUT32 ref: 005A788C
                                                        • SysFreeString.OLEAUT32 ref: 005A7895
                                                        • StringFromGUID2.OLE32(?,?,00000028), ref: 005A78AF
                                                        • SysAllocString.OLEAUT32(?), ref: 005A78BD
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                        • String ID:
                                                        • API String ID: 3761583154-0
                                                        • Opcode ID: 1d2d6929c91a1ff250a619e7d164acb4ecc7b1774023eaeaf564dc7c28a93cee
                                                        • Instruction ID: f9197424b2467a42fa06cda85a3d2163505a25dc75a14f075073457febecce25
                                                        • Opcode Fuzzy Hash: 1d2d6929c91a1ff250a619e7d164acb4ecc7b1774023eaeaf564dc7c28a93cee
                                                        • Instruction Fuzzy Hash: 9521813160910AAF9F109BA8DC88DAE7BACFB0D3617108126B915CB2A5D678DC45DB64
                                                        Function 005B04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetStdHandle.KERNEL32(0000000C), ref: 005B04F2
                                                        • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 005B052E
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: CreateHandlePipe
                                                        • String ID: nul
                                                        • API String ID: 1424370930-2873401336
                                                        • Opcode ID: 2491837d09e7707afdb430cc93ba3eeeb1decbdc562755b81de9d2cef85b4dcd
                                                        • Instruction ID: 02cda297acd76e1872ac2da5c6992a4f57f9b23638b3dd973f09170f9f143a4a
                                                        • Opcode Fuzzy Hash: 2491837d09e7707afdb430cc93ba3eeeb1decbdc562755b81de9d2cef85b4dcd
                                                        • Instruction Fuzzy Hash: 91212BB5500206ABDF309F69DC49A9B7FE4BF54724F204A1AE8A1962E0E770A954DF20
                                                        Function 005B05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetStdHandle.KERNEL32(000000F6), ref: 005B05C6
                                                        • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 005B0601
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: CreateHandlePipe
                                                        • String ID: nul
                                                        • API String ID: 1424370930-2873401336
                                                        • Opcode ID: 2f54d6a751bc3ad655086cf7e23a0e9dec4ff2c802730d73d989d216af267174
                                                        • Instruction ID: 9aea7dd22c339d9e0967a12986fd63994000e6ef235dbc567909ca42a27f72c4
                                                        • Opcode Fuzzy Hash: 2f54d6a751bc3ad655086cf7e23a0e9dec4ff2c802730d73d989d216af267174
                                                        • Instruction Fuzzy Hash: 8B214F755003169BDB209F699C04AEB7BE4BF95720F201B1AF8A1E72E0D770A960CB10
                                                        Function 005D40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0054600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0054604C
                                                          • Part of subcall function 0054600E: GetStockObject.GDI32(00000011), ref: 00546060
                                                          • Part of subcall function 0054600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0054606A
                                                        • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 005D4112
                                                        • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 005D411F
                                                        • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 005D412A
                                                        • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 005D4139
                                                        • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 005D4145
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$CreateObjectStockWindow
                                                        • String ID: Msctls_Progress32
                                                        • API String ID: 1025951953-3636473452
                                                        • Opcode ID: 723cc8d09a648352645a1b8fea8452bd62e9e2f7f71e69805c08f95ca1915bcf
                                                        • Instruction ID: 187e3735bc902398705512b814021b2a2206450db4a7db8a7666f1acd9d38283
                                                        • Opcode Fuzzy Hash: 723cc8d09a648352645a1b8fea8452bd62e9e2f7f71e69805c08f95ca1915bcf
                                                        • Instruction Fuzzy Hash: CF1193B115011ABFEF218EA4CC85EE77F6DFF09798F014112B718A6190C6729C21DBA4
                                                        Function 0057D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0057D7A3: _free.LIBCMT ref: 0057D7CC
                                                        • _free.LIBCMT ref: 0057D82D
                                                          • Part of subcall function 005729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0057D7D1,00000000,00000000,00000000,00000000,?,0057D7F8,00000000,00000007,00000000,?,0057DBF5,00000000), ref: 005729DE
                                                          • Part of subcall function 005729C8: GetLastError.KERNEL32(00000000,?,0057D7D1,00000000,00000000,00000000,00000000,?,0057D7F8,00000000,00000007,00000000,?,0057DBF5,00000000,00000000), ref: 005729F0
                                                        • _free.LIBCMT ref: 0057D838
                                                        • _free.LIBCMT ref: 0057D843
                                                        • _free.LIBCMT ref: 0057D897
                                                        • _free.LIBCMT ref: 0057D8A2
                                                        • _free.LIBCMT ref: 0057D8AD
                                                        • _free.LIBCMT ref: 0057D8B8
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: _free$ErrorFreeHeapLast
                                                        • String ID:
                                                        • API String ID: 776569668-0
                                                        • Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                                                        • Instruction ID: e307cf3a807c1694b6086cdc376463fcbdd610533a5b43f633f081ba9c0d7682
                                                        • Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                                                        • Instruction Fuzzy Hash: 28115171540B05AAD521BFB4EC4FFCBBFFCBFC0700F448825B29DA6092DA69B5856660
                                                        Function 005ADA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 005ADA74
                                                        • LoadStringW.USER32(00000000), ref: 005ADA7B
                                                        • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 005ADA91
                                                        • LoadStringW.USER32(00000000), ref: 005ADA98
                                                        • MessageBoxW.USER32(00000000,?,?,00011010), ref: 005ADADC
                                                        Strings
                                                        • %s (%d) : ==> %s: %s %s, xrefs: 005ADAB9
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: HandleLoadModuleString$Message
                                                        • String ID: %s (%d) : ==> %s: %s %s
                                                        • API String ID: 4072794657-3128320259
                                                        • Opcode ID: 7df3c44e669439ad69f5f54a6d8f1b08293c54a02e5a49598d22de25822c99f5
                                                        • Instruction ID: 4ce12c9f0bacc897124bd25bb89df81e95ae34581102937c4a55999269bce8b3
                                                        • Opcode Fuzzy Hash: 7df3c44e669439ad69f5f54a6d8f1b08293c54a02e5a49598d22de25822c99f5
                                                        • Instruction Fuzzy Hash: C9014FF25002197FEB20ABA49D89EEB3B6CE709301F404597B706E2041EA749E88DF74
                                                        Function 005B096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • InterlockedExchange.KERNEL32(00E9E450,00E9E450), ref: 005B097B
                                                        • EnterCriticalSection.KERNEL32(00E9E430,00000000), ref: 005B098D
                                                        • TerminateThread.KERNEL32(?,000001F6), ref: 005B099B
                                                        • WaitForSingleObject.KERNEL32(?,000003E8), ref: 005B09A9
                                                        • CloseHandle.KERNEL32(?), ref: 005B09B8
                                                        • InterlockedExchange.KERNEL32(00E9E450,000001F6), ref: 005B09C8
                                                        • LeaveCriticalSection.KERNEL32(00E9E430), ref: 005B09CF
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                        • String ID:
                                                        • API String ID: 3495660284-0
                                                        • Opcode ID: 2dde33919b542a9e8610f0dbc0a04f9054733bd323094fc69d97929d7b90aa6c
                                                        • Instruction ID: 84e475529ade1ab5ffb58f1012e41fb5ce47f80128e29a844815ceb369e3255f
                                                        • Opcode Fuzzy Hash: 2dde33919b542a9e8610f0dbc0a04f9054733bd323094fc69d97929d7b90aa6c
                                                        • Instruction Fuzzy Hash: 4AF01D31483513ABD7615B94EE89BD67F25BF11702F402117F141918A0C774A469DF90
                                                        Function 005C1C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 005C1DC0
                                                        • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 005C1DE1
                                                        • WSAGetLastError.WSOCK32 ref: 005C1DF2
                                                        • htons.WSOCK32(?,?,?,?,?), ref: 005C1EDB
                                                        • inet_ntoa.WSOCK32(?), ref: 005C1E8C
                                                          • Part of subcall function 005A39E8: _strlen.LIBCMT ref: 005A39F2
                                                          • Part of subcall function 005C3224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,005BEC0C), ref: 005C3240
                                                        • _strlen.LIBCMT ref: 005C1F35
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
                                                        • String ID:
                                                        • API String ID: 3203458085-0
                                                        • Opcode ID: c57bb2c41c0267cb045128f9cf5d16529ff38d885d95f55cd81fcf9351b5ab3f
                                                        • Instruction ID: bbf8511aa8f9ffcb3dc176db93e20be131ffba6c9083a76f4535399092e8b26f
                                                        • Opcode Fuzzy Hash: c57bb2c41c0267cb045128f9cf5d16529ff38d885d95f55cd81fcf9351b5ab3f
                                                        • Instruction Fuzzy Hash: 41B1AA30204641AFC324DF64C899F6ABFA5BF86318F54894CF4565B2A3DB31ED46CB92
                                                        Function 00545D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetClientRect.USER32(?,?), ref: 00545D30
                                                        • GetWindowRect.USER32(?,?), ref: 00545D71
                                                        • ScreenToClient.USER32(?,?), ref: 00545D99
                                                        • GetClientRect.USER32(?,?), ref: 00545ED7
                                                        • GetWindowRect.USER32(?,?), ref: 00545EF8
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Rect$Client$Window$Screen
                                                        • String ID:
                                                        • API String ID: 1296646539-0
                                                        • Opcode ID: bd9faed75c94f5d2273f5ab5a9b9ae6cbfda673838fe36686c1fbc2005785b0f
                                                        • Instruction ID: 398e167ad12c9152844dc28bba6af563a3dbb32c711fe9bc769f0f74681c2865
                                                        • Opcode Fuzzy Hash: bd9faed75c94f5d2273f5ab5a9b9ae6cbfda673838fe36686c1fbc2005785b0f
                                                        • Instruction Fuzzy Hash: BBB17934A0064ADBDB14DFA8C4407EABBF1FF58314F14881AECA9E7250EB34AA51DF50
                                                        Function 005701B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __allrem.LIBCMT ref: 005700BA
                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005700D6
                                                        • __allrem.LIBCMT ref: 005700ED
                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0057010B
                                                        • __allrem.LIBCMT ref: 00570122
                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00570140
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                        • String ID:
                                                        • API String ID: 1992179935-0
                                                        • Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
                                                        • Instruction ID: 1e120e76a05f6e8b4d9dc89bc8fb2dc2ec310a57f5cf17a5593907e0e090bec8
                                                        • Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
                                                        • Instruction Fuzzy Hash: 5581F671A00706DBE724AF28EC45B6BBBE9BF81324F24853AF515D72C1EB70D9009B50
                                                        Function 005761FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,005682D9,005682D9,?,?,?,0057644F,00000001,00000001,8BE85006), ref: 00576258
                                                        • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0057644F,00000001,00000001,8BE85006,?,?,?), ref: 005762DE
                                                        • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 005763D8
                                                        • __freea.LIBCMT ref: 005763E5
                                                          • Part of subcall function 00573820: RtlAllocateHeap.NTDLL(00000000,?,00611444,?,0055FDF5,?,?,0054A976,00000010,00611440,005413FC,?,005413C6,?,00541129), ref: 00573852
                                                        • __freea.LIBCMT ref: 005763EE
                                                        • __freea.LIBCMT ref: 00576413
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                        • String ID:
                                                        • API String ID: 1414292761-0
                                                        • Opcode ID: 0b12b9c075825518164b77dbdbe885a67fae262ef828844f9949baf067ac4b6e
                                                        • Instruction ID: 2df71901b9d73627283b67ed5484341c9e2c8021751d6a50b9646bd9014fdbf1
                                                        • Opcode Fuzzy Hash: 0b12b9c075825518164b77dbdbe885a67fae262ef828844f9949baf067ac4b6e
                                                        • Instruction Fuzzy Hash: F451D472600A16ABDB258F64EC85EAF7FAAFB84710F148A29FC09D7141DB34DC44E760
                                                        Function 005CBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00549CB3: _wcslen.LIBCMT ref: 00549CBD
                                                          • Part of subcall function 005CC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,005CB6AE,?,?), ref: 005CC9B5
                                                          • Part of subcall function 005CC998: _wcslen.LIBCMT ref: 005CC9F1
                                                          • Part of subcall function 005CC998: _wcslen.LIBCMT ref: 005CCA68
                                                          • Part of subcall function 005CC998: _wcslen.LIBCMT ref: 005CCA9E
                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 005CBCCA
                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 005CBD25
                                                        • RegCloseKey.ADVAPI32(00000000), ref: 005CBD6A
                                                        • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 005CBD99
                                                        • RegCloseKey.ADVAPI32(?,?,00000000), ref: 005CBDF3
                                                        • RegCloseKey.ADVAPI32(?), ref: 005CBDFF
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
                                                        • String ID:
                                                        • API String ID: 1120388591-0
                                                        • Opcode ID: b2c2bd99e8031d3423e82b300e17b5e66b7bdf4a2e2e24c15759c90bcf7742e8
                                                        • Instruction ID: d7f9a97605e0c1c74dce6ef9eac2dc044ba082fe861a2197ff92a02c2d965543
                                                        • Opcode Fuzzy Hash: b2c2bd99e8031d3423e82b300e17b5e66b7bdf4a2e2e24c15759c90bcf7742e8
                                                        • Instruction Fuzzy Hash: 68815B70108242AFD714DF64C896E6ABFE5FF84308F14895DF45A4B2A2DB31ED45CB92
                                                        Function 0059F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • VariantInit.OLEAUT32(00000035), ref: 0059F7B9
                                                        • SysAllocString.OLEAUT32(00000001), ref: 0059F860
                                                        • VariantCopy.OLEAUT32(0059FA64,00000000), ref: 0059F889
                                                        • VariantClear.OLEAUT32(0059FA64), ref: 0059F8AD
                                                        • VariantCopy.OLEAUT32(0059FA64,00000000), ref: 0059F8B1
                                                        • VariantClear.OLEAUT32(?), ref: 0059F8BB
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Variant$ClearCopy$AllocInitString
                                                        • String ID:
                                                        • API String ID: 3859894641-0
                                                        • Opcode ID: f2e945cb15f2a04e6af9b7457a8020d79f07d5b29310d969b14175529e22122e
                                                        • Instruction ID: 4bd2a7a2a4e1fdd1880637c96d5d18ffe5e003b6594a6d62ff51104d7214e3dc
                                                        • Opcode Fuzzy Hash: f2e945cb15f2a04e6af9b7457a8020d79f07d5b29310d969b14175529e22122e
                                                        • Instruction Fuzzy Hash: 4151D531600311BBCF60AF65D899B69BBA8FF85310F249867E805DF291DB70CC40C7A6
                                                        Function 005B910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00547620: _wcslen.LIBCMT ref: 00547625
                                                          • Part of subcall function 00546B57: _wcslen.LIBCMT ref: 00546B6A
                                                        • GetOpenFileNameW.COMDLG32(00000058), ref: 005B94E5
                                                        • _wcslen.LIBCMT ref: 005B9506
                                                        • _wcslen.LIBCMT ref: 005B952D
                                                        • GetSaveFileNameW.COMDLG32(00000058), ref: 005B9585
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: _wcslen$FileName$OpenSave
                                                        • String ID: X
                                                        • API String ID: 83654149-3081909835
                                                        • Opcode ID: 0cfdb68bcd49d32ac18d2c6460d47be3db916e2705a756e10433a8298430dfab
                                                        • Instruction ID: c6ed000df8787dd22650ff474c7eb2190c0cbbdd352d8b349e523702c13a848e
                                                        • Opcode Fuzzy Hash: 0cfdb68bcd49d32ac18d2c6460d47be3db916e2705a756e10433a8298430dfab
                                                        • Instruction Fuzzy Hash: 8FE181315083419FD724DF24C485AAABBE4BFC5314F14896DF9899B2A2DB31ED05CB92
                                                        Function 0055920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00559BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00559BB2
                                                        • BeginPaint.USER32(?,?,?), ref: 00559241
                                                        • GetWindowRect.USER32(?,?), ref: 005592A5
                                                        • ScreenToClient.USER32(?,?), ref: 005592C2
                                                        • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 005592D3
                                                        • EndPaint.USER32(?,?,?,?,?), ref: 00559321
                                                        • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 005971EA
                                                          • Part of subcall function 00559339: BeginPath.GDI32(00000000), ref: 00559357
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
                                                        • String ID:
                                                        • API String ID: 3050599898-0
                                                        • Opcode ID: 0d7f6574a884b2c33e68efe28de28aa2b2818724aa8a5db770af3df2ad3b5952
                                                        • Instruction ID: 4e2a66a6c2771a8049bba1b48dc30b7e7554bdfc97b3d28418e5d3b292db1a16
                                                        • Opcode Fuzzy Hash: 0d7f6574a884b2c33e68efe28de28aa2b2818724aa8a5db770af3df2ad3b5952
                                                        • Instruction Fuzzy Hash: 1A41A170105301EFDB20DF54C894FA67FA9FB5A321F144A2BFA648B1A1C7349849EB61
                                                        Function 005B07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • InterlockedExchange.KERNEL32(?,000001F5), ref: 005B080C
                                                        • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 005B0847
                                                        • EnterCriticalSection.KERNEL32(?), ref: 005B0863
                                                        • LeaveCriticalSection.KERNEL32(?), ref: 005B08DC
                                                        • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 005B08F3
                                                        • InterlockedExchange.KERNEL32(?,000001F6), ref: 005B0921
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
                                                        • String ID:
                                                        • API String ID: 3368777196-0
                                                        • Opcode ID: 479ae92d7e3dc55749f06181eb29b0690cb80e6786eb45082f3fd0cf4230dd75
                                                        • Instruction ID: d441b12cb4a186a700cf2e777462b770717c13d7834cd87b3e566ba32e687f5a
                                                        • Opcode Fuzzy Hash: 479ae92d7e3dc55749f06181eb29b0690cb80e6786eb45082f3fd0cf4230dd75
                                                        • Instruction Fuzzy Hash: D9414771900206EBDF14AF54DC85AAB7BB9FF44310F1440A6ED00AB297DB30EE65DBA0
                                                        Function 005D81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0059F3AB,00000000,?,?,00000000,?,0059682C,00000004,00000000,00000000), ref: 005D824C
                                                        • EnableWindow.USER32(?,00000000), ref: 005D8272
                                                        • ShowWindow.USER32(FFFFFFFF,00000000), ref: 005D82D1
                                                        • ShowWindow.USER32(?,00000004), ref: 005D82E5
                                                        • EnableWindow.USER32(?,00000001), ref: 005D830B
                                                        • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 005D832F
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Window$Show$Enable$MessageSend
                                                        • String ID:
                                                        • API String ID: 642888154-0
                                                        • Opcode ID: 9ee2b1306ac1c71e13a4a0c5448dbecef491eb83c8a7940ad0d0cc36407b1a7d
                                                        • Instruction ID: 84274e1ac5d9dbf9e22e1dfa52ba46c0213464e844b92e6760c8982dff2c677a
                                                        • Opcode Fuzzy Hash: 9ee2b1306ac1c71e13a4a0c5448dbecef491eb83c8a7940ad0d0cc36407b1a7d
                                                        • Instruction Fuzzy Hash: 92415134602645AFDB31CF29CC99BF47FE1BB46715F18526BE6184F262CB31A845CB50
                                                        Function 005A4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • IsWindowVisible.USER32(?), ref: 005A4C95
                                                        • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 005A4CB2
                                                        • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 005A4CEA
                                                        • _wcslen.LIBCMT ref: 005A4D08
                                                        • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 005A4D10
                                                        • _wcsstr.LIBVCRUNTIME ref: 005A4D1A
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
                                                        • String ID:
                                                        • API String ID: 72514467-0
                                                        • Opcode ID: 5c6f03efda144521c148f666c14447b3bda1324eea175d1e2740bb0b6e924737
                                                        • Instruction ID: 6ce6c00f5319f6baa102690ad9360f47c28fc8ed46973bd8fce3f8f53c5d69f9
                                                        • Opcode Fuzzy Hash: 5c6f03efda144521c148f666c14447b3bda1324eea175d1e2740bb0b6e924737
                                                        • Instruction Fuzzy Hash: 6521D731605201BBEB255B79AC4AE7F7F9CEF86750F10402AF909CE191DAA1DC40DAA0
                                                        Function 005B581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00543AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00543A97,?,?,00542E7F,?,?,?,00000000), ref: 00543AC2
                                                        • _wcslen.LIBCMT ref: 005B587B
                                                        • CoInitialize.OLE32(00000000), ref: 005B5995
                                                        • CoCreateInstance.OLE32(005DFCF8,00000000,00000001,005DFB68,?), ref: 005B59AE
                                                        • CoUninitialize.OLE32 ref: 005B59CC
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
                                                        • String ID: .lnk
                                                        • API String ID: 3172280962-24824748
                                                        • Opcode ID: f6d5b06d760688ec37ff7b54ec7a9272212409688e7a1053262389e74875cd37
                                                        • Instruction ID: 37684e0a138480817433c54b2fde41c09a307b51ba7d0ea2228842a07ba14e26
                                                        • Opcode Fuzzy Hash: f6d5b06d760688ec37ff7b54ec7a9272212409688e7a1053262389e74875cd37
                                                        • Instruction Fuzzy Hash: 83D147716047019FC718DF24C484AAABBE5FF89714F14485DF88A9B361E731ED45CB92
                                                        Function 005A175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 005A0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 005A0FCA
                                                          • Part of subcall function 005A0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 005A0FD6
                                                          • Part of subcall function 005A0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 005A0FE5
                                                          • Part of subcall function 005A0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 005A0FEC
                                                          • Part of subcall function 005A0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 005A1002
                                                        • GetLengthSid.ADVAPI32(?,00000000,005A1335), ref: 005A17AE
                                                        • GetProcessHeap.KERNEL32(00000008,00000000), ref: 005A17BA
                                                        • HeapAlloc.KERNEL32(00000000), ref: 005A17C1
                                                        • CopySid.ADVAPI32(00000000,00000000,?), ref: 005A17DA
                                                        • GetProcessHeap.KERNEL32(00000000,00000000,005A1335), ref: 005A17EE
                                                        • HeapFree.KERNEL32(00000000), ref: 005A17F5
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                        • String ID:
                                                        • API String ID: 3008561057-0
                                                        • Opcode ID: 89318a77f2b0843905b080509ec90090cc092be210cad3d513a7954d3d2b8464
                                                        • Instruction ID: a18f166bc38fef1963f7b8f7f302de41b060a68ef326248c83a75cde188c8eb3
                                                        • Opcode Fuzzy Hash: 89318a77f2b0843905b080509ec90090cc092be210cad3d513a7954d3d2b8464
                                                        • Instruction Fuzzy Hash: 9B11BE31511616FFDB249FA4CC49FAE7FA9FB42355F10401AF481A7290C735A944DB64
                                                        Function 005A14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 005A14FF
                                                        • OpenProcessToken.ADVAPI32(00000000), ref: 005A1506
                                                        • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 005A1515
                                                        • CloseHandle.KERNEL32(00000004), ref: 005A1520
                                                        • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 005A154F
                                                        • DestroyEnvironmentBlock.USERENV(00000000), ref: 005A1563
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                        • String ID:
                                                        • API String ID: 1413079979-0
                                                        • Opcode ID: c309e882a27ca46530ed14667d232ae823943729a4e207380e53dc0543bc7f22
                                                        • Instruction ID: f25c7b18f3611167c228e83cdcc53a27fb9d47a54a2684a90501afd4fee95da1
                                                        • Opcode Fuzzy Hash: c309e882a27ca46530ed14667d232ae823943729a4e207380e53dc0543bc7f22
                                                        • Instruction Fuzzy Hash: 0711297250120AABDF218F98DD49FDE7FA9FF49744F04411AFA05A20A0C375CE64EB64
                                                        Function 00563382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLastError.KERNEL32(?,?,00563379,00562FE5), ref: 00563390
                                                        • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0056339E
                                                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 005633B7
                                                        • SetLastError.KERNEL32(00000000,?,00563379,00562FE5), ref: 00563409
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: ErrorLastValue___vcrt_
                                                        • String ID:
                                                        • API String ID: 3852720340-0
                                                        • Opcode ID: 9b387c78668da1884798304e5df1a58ffba32ae90dc32fba7364717e5562b0ae
                                                        • Instruction ID: 5ce04df1fed739d911331125b49bf7eec7b38ca4ee7de0d7ee0640f4fb50f3b9
                                                        • Opcode Fuzzy Hash: 9b387c78668da1884798304e5df1a58ffba32ae90dc32fba7364717e5562b0ae
                                                        • Instruction Fuzzy Hash: 4C012F32749312BEEB2427B8BC89A672E94FB5537A720072AF411832F0EF124E15E544
                                                        Function 00572D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLastError.KERNEL32(?,?,00575686,00583CD6,?,00000000,?,00575B6A,?,?,?,?,?,0056E6D1,?,00608A48), ref: 00572D78
                                                        • _free.LIBCMT ref: 00572DAB
                                                        • _free.LIBCMT ref: 00572DD3
                                                        • SetLastError.KERNEL32(00000000,?,?,?,?,0056E6D1,?,00608A48,00000010,00544F4A,?,?,00000000,00583CD6), ref: 00572DE0
                                                        • SetLastError.KERNEL32(00000000,?,?,?,?,0056E6D1,?,00608A48,00000010,00544F4A,?,?,00000000,00583CD6), ref: 00572DEC
                                                        • _abort.LIBCMT ref: 00572DF2
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast$_free$_abort
                                                        • String ID:
                                                        • API String ID: 3160817290-0
                                                        • Opcode ID: ead127ab3b9afc258cc4bf994a59c3604a9a65092d8aa872d264077404c0ec47
                                                        • Instruction ID: 05e421aa6f8d4d27024b335e1d9d5d7ab60a35d1dd8f513b39642a2874d94ab5
                                                        • Opcode Fuzzy Hash: ead127ab3b9afc258cc4bf994a59c3604a9a65092d8aa872d264077404c0ec47
                                                        • Instruction Fuzzy Hash: F4F0A93594560267C73227787C0EA5B1E59BFD1771F25C519F82C921D6DE3488827160
                                                        Function 005D8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00559639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00559693
                                                          • Part of subcall function 00559639: SelectObject.GDI32(?,00000000), ref: 005596A2
                                                          • Part of subcall function 00559639: BeginPath.GDI32(?), ref: 005596B9
                                                          • Part of subcall function 00559639: SelectObject.GDI32(?,00000000), ref: 005596E2
                                                        • MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 005D8A4E
                                                        • LineTo.GDI32(?,00000003,00000000), ref: 005D8A62
                                                        • MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 005D8A70
                                                        • LineTo.GDI32(?,00000000,00000003), ref: 005D8A80
                                                        • EndPath.GDI32(?), ref: 005D8A90
                                                        • StrokePath.GDI32(?), ref: 005D8AA0
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                        • String ID:
                                                        • API String ID: 43455801-0
                                                        • Opcode ID: 6d7a40b4305cc02da86ca626d098fc2e1c7a4dbb75180a04feb1db28462c0b92
                                                        • Instruction ID: b5a97d6fd38593789e228ec1a664d094aab0703b2f674195710e58d58d90b17a
                                                        • Opcode Fuzzy Hash: 6d7a40b4305cc02da86ca626d098fc2e1c7a4dbb75180a04feb1db28462c0b92
                                                        • Instruction Fuzzy Hash: FA11097600114DFFDF229F94DC88EAA7F6DEB09350F048053BA199A1A1C7719D59EBA0
                                                        Function 005A51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetDC.USER32(00000000), ref: 005A5218
                                                        • GetDeviceCaps.GDI32(00000000,00000058), ref: 005A5229
                                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 005A5230
                                                        • ReleaseDC.USER32(00000000,00000000), ref: 005A5238
                                                        • MulDiv.KERNEL32(000009EC,?,00000000), ref: 005A524F
                                                        • MulDiv.KERNEL32(000009EC,00000001,?), ref: 005A5261
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: CapsDevice$Release
                                                        • String ID:
                                                        • API String ID: 1035833867-0
                                                        • Opcode ID: 5d6aff784ec61409c16b7a93a75b4d74bc2386989a23888ef82287c5c5255576
                                                        • Instruction ID: 7c5a68dda923a0ca2a565899d30adb0820b6266690118a4e893e4ac88f01428a
                                                        • Opcode Fuzzy Hash: 5d6aff784ec61409c16b7a93a75b4d74bc2386989a23888ef82287c5c5255576
                                                        • Instruction Fuzzy Hash: D0018F75A01719BBEB109BA59C49F4EBFB8FF58351F044066FA04A7280D6709804DBA0
                                                        Function 00541BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00541BF4
                                                        • MapVirtualKeyW.USER32(00000010,00000000), ref: 00541BFC
                                                        • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00541C07
                                                        • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00541C12
                                                        • MapVirtualKeyW.USER32(00000011,00000000), ref: 00541C1A
                                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 00541C22
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Virtual
                                                        • String ID:
                                                        • API String ID: 4278518827-0
                                                        • Opcode ID: fb267d68f6ee8925444bc5a3f7a6ba4460bb5a66845b8ad4e27fcba1951677fc
                                                        • Instruction ID: c647b1d2fdbe6a9f63c225b78329d7d39b75e6a09b181ecf39fa9ccc9a1c9f9a
                                                        • Opcode Fuzzy Hash: fb267d68f6ee8925444bc5a3f7a6ba4460bb5a66845b8ad4e27fcba1951677fc
                                                        • Instruction Fuzzy Hash: C4016CB090275ABDE3008F5A8C85B52FFA8FF19354F00411B915C4B941C7F5A864CBE5
                                                        Function 005AEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 005AEB30
                                                        • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 005AEB46
                                                        • GetWindowThreadProcessId.USER32(?,?), ref: 005AEB55
                                                        • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 005AEB64
                                                        • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 005AEB6E
                                                        • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 005AEB75
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                        • String ID:
                                                        • API String ID: 839392675-0
                                                        • Opcode ID: f03302fa10466b70ae8348b840e365b9e4440a2f0ebc61843529e372d961c899
                                                        • Instruction ID: be5827c63e93236c61dc6a287e5c80103f68eaade8ac2dc3b8f53a4fbdfb8147
                                                        • Opcode Fuzzy Hash: f03302fa10466b70ae8348b840e365b9e4440a2f0ebc61843529e372d961c899
                                                        • Instruction Fuzzy Hash: C2F06D72142129BBEA305B929C0EEAF3F7CEBDAB11F00015AF601D109097A05A05D6B4
                                                        Function 00597439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetClientRect.USER32(?), ref: 00597452
                                                        • SendMessageW.USER32(?,00001328,00000000,?), ref: 00597469
                                                        • GetWindowDC.USER32(?), ref: 00597475
                                                        • GetPixel.GDI32(00000000,?,?), ref: 00597484
                                                        • ReleaseDC.USER32(?,00000000), ref: 00597496
                                                        • GetSysColor.USER32(00000005), ref: 005974B0
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: ClientColorMessagePixelRectReleaseSendWindow
                                                        • String ID:
                                                        • API String ID: 272304278-0
                                                        • Opcode ID: 32711d9d2d8bdcac925ea4b0182b12266c13bb1fbdf76240307dde8a3784e26e
                                                        • Instruction ID: 7238a51e3cf09742ca6f7481d2f2396ffc4b023fd4eb591b74746eb90311d3d6
                                                        • Opcode Fuzzy Hash: 32711d9d2d8bdcac925ea4b0182b12266c13bb1fbdf76240307dde8a3784e26e
                                                        • Instruction Fuzzy Hash: 97018B3140521AEFDF205FA4DC08BAE7FB6FB18311F1401A3F91AA21A1CB311E45EB10
                                                        Function 005A1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 005A187F
                                                        • UnloadUserProfile.USERENV(?,?), ref: 005A188B
                                                        • CloseHandle.KERNEL32(?), ref: 005A1894
                                                        • CloseHandle.KERNEL32(?), ref: 005A189C
                                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 005A18A5
                                                        • HeapFree.KERNEL32(00000000), ref: 005A18AC
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                        • String ID:
                                                        • API String ID: 146765662-0
                                                        • Opcode ID: 27edcd45d814a3687e412a3fee84c99aa38c965e1b437c076f7c2712e594c1ef
                                                        • Instruction ID: ccdac3d3c6cf96f53b6c654c34fe64fbc3f675fdcb0403c2570e632003ce4282
                                                        • Opcode Fuzzy Hash: 27edcd45d814a3687e412a3fee84c99aa38c965e1b437c076f7c2712e594c1ef
                                                        • Instruction Fuzzy Hash: C3E0E536045112FBDB116FE1ED0C90ABF39FF69B22B108627F225810B0CB329424EF50
                                                        Function 0054BBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __Init_thread_footer.LIBCMT ref: 0054BEB3
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Init_thread_footer
                                                        • String ID: D%a$D%a$D%a$D%aD%a
                                                        • API String ID: 1385522511-695643209
                                                        • Opcode ID: e787a92b303a7aca5af052521b5f187df3c75da82e4be37634a1b71cc9999a6c
                                                        • Instruction ID: 8954a930c95bcc1a108d3a4baaac80095389f37f054e0fa946009253e2547b1f
                                                        • Opcode Fuzzy Hash: e787a92b303a7aca5af052521b5f187df3c75da82e4be37634a1b71cc9999a6c
                                                        • Instruction Fuzzy Hash: 9F913975A0020ACFDB18CF58C0D06EABBF2FF58318B24856AD945AB351E731ED91DB90
                                                        Function 005C7B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00560242: EnterCriticalSection.KERNEL32(0061070C,00611884,?,?,0055198B,00612518,?,?,?,005412F9,00000000), ref: 0056024D
                                                          • Part of subcall function 00560242: LeaveCriticalSection.KERNEL32(0061070C,?,0055198B,00612518,?,?,?,005412F9,00000000), ref: 0056028A
                                                          • Part of subcall function 00549CB3: _wcslen.LIBCMT ref: 00549CBD
                                                          • Part of subcall function 005600A3: __onexit.LIBCMT ref: 005600A9
                                                        • __Init_thread_footer.LIBCMT ref: 005C7BFB
                                                          • Part of subcall function 005601F8: EnterCriticalSection.KERNEL32(0061070C,?,?,00558747,00612514), ref: 00560202
                                                          • Part of subcall function 005601F8: LeaveCriticalSection.KERNEL32(0061070C,?,00558747,00612514), ref: 00560235
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
                                                        • String ID: +TY$5$G$Variable must be of type 'Object'.
                                                        • API String ID: 535116098-2344059749
                                                        • Opcode ID: 7633838e83a7b2bd338dbec24e421c50c295844dad1bb12d45e3cc1abfd7c120
                                                        • Instruction ID: f7769068e479e8737110be5ab65a2133425e3ecc8429764d92229bb76f5772b3
                                                        • Opcode Fuzzy Hash: 7633838e83a7b2bd338dbec24e421c50c295844dad1bb12d45e3cc1abfd7c120
                                                        • Instruction Fuzzy Hash: 2E916B74A0420AAFCB14EF94D895EADBFB2BF88304F14805DF8165B692DB71AE41CF51
                                                        Function 005AC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00547620: _wcslen.LIBCMT ref: 00547625
                                                        • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 005AC6EE
                                                        • _wcslen.LIBCMT ref: 005AC735
                                                        • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 005AC79C
                                                        • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 005AC7CA
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: ItemMenu$Info_wcslen$Default
                                                        • String ID: 0
                                                        • API String ID: 1227352736-4108050209
                                                        • Opcode ID: 5098a4f77b1bc5c207746d74785770085cf3d15f4be56fec7d4c705497144216
                                                        • Instruction ID: 054ea939d2942f50d71b0dd5418b067e09a0f59eb69de952c127afc272661f31
                                                        • Opcode Fuzzy Hash: 5098a4f77b1bc5c207746d74785770085cf3d15f4be56fec7d4c705497144216
                                                        • Instruction Fuzzy Hash: 0F51AE716043019BD715DE28C889AAE7FE8FF8A314F040A2EF9A5D71A1DB64D944CF92
                                                        Function 005CAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ShellExecuteExW.SHELL32(0000003C), ref: 005CAEA3
                                                          • Part of subcall function 00547620: _wcslen.LIBCMT ref: 00547625
                                                        • GetProcessId.KERNEL32(00000000), ref: 005CAF38
                                                        • CloseHandle.KERNEL32(00000000), ref: 005CAF67
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: CloseExecuteHandleProcessShell_wcslen
                                                        • String ID: <$@
                                                        • API String ID: 146682121-1426351568
                                                        • Opcode ID: 999c44aac1f6c966f997084624bb25a8f1a3cf3a434b010fd7f2e450c9b7da4e
                                                        • Instruction ID: 24032b719179a7d2da1af283e541e78dc4c379498f57d2a5c08880472e274153
                                                        • Opcode Fuzzy Hash: 999c44aac1f6c966f997084624bb25a8f1a3cf3a434b010fd7f2e450c9b7da4e
                                                        • Instruction Fuzzy Hash: A3714474A0061A9FCB14DF94C489A9EBFB4FF48318F04889DE816AB362D774ED45CB91
                                                        Function 005A719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 005A7206
                                                        • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 005A723C
                                                        • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 005A724D
                                                        • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 005A72CF
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: ErrorMode$AddressCreateInstanceProc
                                                        • String ID: DllGetClassObject
                                                        • API String ID: 753597075-1075368562
                                                        • Opcode ID: b4c1766b1ccab8222baea65d86fb634d9956581656d735f65474350bdc54b309
                                                        • Instruction ID: bd504be7a834015aa0c5b82ceaae4ffeafce9bc95051a87b4a77d7ff0f218669
                                                        • Opcode Fuzzy Hash: b4c1766b1ccab8222baea65d86fb634d9956581656d735f65474350bdc54b309
                                                        • Instruction Fuzzy Hash: DA416E75604209AFDB25CF54CC84B9E7FA9FF89310F1484AABD059F20AD7B0DA45DBA0
                                                        Function 005D3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 005D3E35
                                                        • IsMenu.USER32(?), ref: 005D3E4A
                                                        • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 005D3E92
                                                        • DrawMenuBar.USER32 ref: 005D3EA5
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Menu$Item$DrawInfoInsert
                                                        • String ID: 0
                                                        • API String ID: 3076010158-4108050209
                                                        • Opcode ID: 7cbeab65aac1deafba07dc0bf9f009db1d7fd82c01a0e449d556d05e3814d12b
                                                        • Instruction ID: 5a8ff58b744ee29c118af5bb8003bafedd6fca7f4a42c2d7a6db52e0c94643f2
                                                        • Opcode Fuzzy Hash: 7cbeab65aac1deafba07dc0bf9f009db1d7fd82c01a0e449d556d05e3814d12b
                                                        • Instruction Fuzzy Hash: 1E414A75A01209AFDB20DF58D884AEABBB9FF49354F04412BE9159B390D730AE44DF51
                                                        Function 005A1DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00549CB3: _wcslen.LIBCMT ref: 00549CBD
                                                          • Part of subcall function 005A3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 005A3CCA
                                                        • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 005A1E66
                                                        • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 005A1E79
                                                        • SendMessageW.USER32(?,00000189,?,00000000), ref: 005A1EA9
                                                          • Part of subcall function 00546B57: _wcslen.LIBCMT ref: 00546B6A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$_wcslen$ClassName
                                                        • String ID: ComboBox$ListBox
                                                        • API String ID: 2081771294-1403004172
                                                        • Opcode ID: 2330d8fb382b0a18321e5a689b5ad506dc25c9ff6764ca8e2f7fce0d47d106ed
                                                        • Instruction ID: eb0ec3bc782e5e93fa49312c5c9f373c624c1d7db85d28e441f46b29b250d852
                                                        • Opcode Fuzzy Hash: 2330d8fb382b0a18321e5a689b5ad506dc25c9ff6764ca8e2f7fce0d47d106ed
                                                        • Instruction Fuzzy Hash: B021F671A00105AADB14AB64DC5ACFFBFBDFF86364F10451AF825AB2E1DB344D09D620
                                                        Function 005D2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 005D2F8D
                                                        • LoadLibraryW.KERNEL32(?), ref: 005D2F94
                                                        • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 005D2FA9
                                                        • DestroyWindow.USER32(?), ref: 005D2FB1
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$DestroyLibraryLoadWindow
                                                        • String ID: SysAnimate32
                                                        • API String ID: 3529120543-1011021900
                                                        • Opcode ID: b1a1104d176a279f2e651fbda277497e660171651ecc1dfb1b94b91d0c655f0b
                                                        • Instruction ID: 78b3e3cf45756faf9f302c5dc5317b4c8ed58410a89b359eb9650f96cd756220
                                                        • Opcode Fuzzy Hash: b1a1104d176a279f2e651fbda277497e660171651ecc1dfb1b94b91d0c655f0b
                                                        • Instruction Fuzzy Hash: 9B21DE71204206ABEB204F68DC86EBB3BB9FF69324F104A1BF954D6290D771DC41E760
                                                        Function 00564D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00564D1E,005728E9,?,00564CBE,005728E9,006088B8,0000000C,00564E15,005728E9,00000002), ref: 00564D8D
                                                        • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00564DA0
                                                        • FreeLibrary.KERNEL32(00000000,?,?,?,00564D1E,005728E9,?,00564CBE,005728E9,006088B8,0000000C,00564E15,005728E9,00000002,00000000), ref: 00564DC3
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: AddressFreeHandleLibraryModuleProc
                                                        • String ID: CorExitProcess$mscoree.dll
                                                        • API String ID: 4061214504-1276376045
                                                        • Opcode ID: 347f87b4e55b675a3b54bb0b8be07861450977f7ac1da4e3717602aad500d965
                                                        • Instruction ID: 25b701fbcb16d02725e246e881f22357743535e7032e94961a83a539e51aab07
                                                        • Opcode Fuzzy Hash: 347f87b4e55b675a3b54bb0b8be07861450977f7ac1da4e3717602aad500d965
                                                        • Instruction Fuzzy Hash: FBF0AF30A41219FBDB209F90DC09BAEBFB9FF54751F0001A6F805A62A0CF705984DF90
                                                        Function 00544E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00544EDD,?,00611418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00544E9C
                                                        • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00544EAE
                                                        • FreeLibrary.KERNEL32(00000000,?,?,00544EDD,?,00611418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00544EC0
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Library$AddressFreeLoadProc
                                                        • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                        • API String ID: 145871493-3689287502
                                                        • Opcode ID: 9f69db4730339b63d6a6e4ff53659cf0fa1e2f891caeb6f475ba780a15b60945
                                                        • Instruction ID: f7540b2f90def84b0b933bdb7f91160269efb708a48e52e875cc8137b528195e
                                                        • Opcode Fuzzy Hash: 9f69db4730339b63d6a6e4ff53659cf0fa1e2f891caeb6f475ba780a15b60945
                                                        • Instruction Fuzzy Hash: E6E08635A426339BD23217656C1CB9B6E6CBF91B667050117FC00D6250DF60CD05D4A1
                                                        Function 00544E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00583CDE,?,00611418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00544E62
                                                        • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00544E74
                                                        • FreeLibrary.KERNEL32(00000000,?,?,00583CDE,?,00611418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00544E87
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Library$AddressFreeLoadProc
                                                        • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                        • API String ID: 145871493-1355242751
                                                        • Opcode ID: d9ae78793d3393a03367aa745c6445e4f5f11f5ac30608e14b6c84dfaf5eba5e
                                                        • Instruction ID: 0c434d3fcf943e78a0f820aac160e44595022425df1227910676462c2dff0c33
                                                        • Opcode Fuzzy Hash: d9ae78793d3393a03367aa745c6445e4f5f11f5ac30608e14b6c84dfaf5eba5e
                                                        • Instruction Fuzzy Hash: D5D0C231543633979A321B246C08ECB7F1CBF81B153050213B800E7250CF20CD11D9D1
                                                        Function 005B2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 005B2C05
                                                        • DeleteFileW.KERNEL32(?), ref: 005B2C87
                                                        • CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 005B2C9D
                                                        • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 005B2CAE
                                                        • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 005B2CC0
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: File$Delete$Copy
                                                        • String ID:
                                                        • API String ID: 3226157194-0
                                                        • Opcode ID: e7ad0970c305f596d4b04e4837b3a50f7c4b373e089e8a35763734a804bb4389
                                                        • Instruction ID: c93994549d49834e4fa94b7a66a887758bfdc55d8c2534e97c1fcf0be733887f
                                                        • Opcode Fuzzy Hash: e7ad0970c305f596d4b04e4837b3a50f7c4b373e089e8a35763734a804bb4389
                                                        • Instruction Fuzzy Hash: C1B15D7290111AABDF21DBA4CC89EDEBF7DFF48350F1040A6F609E7155EA30AA448F61
                                                        Function 005CA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetCurrentProcessId.KERNEL32 ref: 005CA427
                                                        • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 005CA435
                                                        • GetProcessIoCounters.KERNEL32(00000000,?), ref: 005CA468
                                                        • CloseHandle.KERNEL32(?), ref: 005CA63D
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Process$CloseCountersCurrentHandleOpen
                                                        • String ID:
                                                        • API String ID: 3488606520-0
                                                        • Opcode ID: 4418e6d827e5317a1675c736891b2bbab7e256e5466a830df26d48b21d54e3a4
                                                        • Instruction ID: 173a967ce8594e78008c55503d99ce2f19623fd65d530c4eccf56cab4972ca3c
                                                        • Opcode Fuzzy Hash: 4418e6d827e5317a1675c736891b2bbab7e256e5466a830df26d48b21d54e3a4
                                                        • Instruction Fuzzy Hash: F5A18E71604301AFD720DF24C886F2ABFE5BB84718F14885DF95A9B392D771EC458B92
                                                        Function 0057BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,005E3700), ref: 0057BB91
                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,0061121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0057BC09
                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00611270,000000FF,?,0000003F,00000000,?), ref: 0057BC36
                                                        • _free.LIBCMT ref: 0057BB7F
                                                          • Part of subcall function 005729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0057D7D1,00000000,00000000,00000000,00000000,?,0057D7F8,00000000,00000007,00000000,?,0057DBF5,00000000), ref: 005729DE
                                                          • Part of subcall function 005729C8: GetLastError.KERNEL32(00000000,?,0057D7D1,00000000,00000000,00000000,00000000,?,0057D7F8,00000000,00000007,00000000,?,0057DBF5,00000000,00000000), ref: 005729F0
                                                        • _free.LIBCMT ref: 0057BD4B
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                                        • String ID:
                                                        • API String ID: 1286116820-0
                                                        • Opcode ID: 8df3303daf09fc330453a405ec8c7eafde1b1460eacd369c08e4be005acbd1cc
                                                        • Instruction ID: 00a12e1fad83616d4f1942b46ab89780fe7b3d253046963aaede006fb70f413e
                                                        • Opcode Fuzzy Hash: 8df3303daf09fc330453a405ec8c7eafde1b1460eacd369c08e4be005acbd1cc
                                                        • Instruction Fuzzy Hash: 3951F97190020A9FEB10EF65AC45AAEBFBDFF81310F14C66AE518D7191DB305E81EB50
                                                        Function 005AE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 005ADDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,005ACF22,?), ref: 005ADDFD
                                                          • Part of subcall function 005ADDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,005ACF22,?), ref: 005ADE16
                                                          • Part of subcall function 005AE199: GetFileAttributesW.KERNEL32(?,005ACF95), ref: 005AE19A
                                                        • lstrcmpiW.KERNEL32(?,?), ref: 005AE473
                                                        • MoveFileW.KERNEL32(?,?), ref: 005AE4AC
                                                        • _wcslen.LIBCMT ref: 005AE5EB
                                                        • _wcslen.LIBCMT ref: 005AE603
                                                        • SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 005AE650
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
                                                        • String ID:
                                                        • API String ID: 3183298772-0
                                                        • Opcode ID: 4c7658d9315715136221bafb1fa4f87b72784992d0bd5ee4d3907e36ff112bf6
                                                        • Instruction ID: b99163356b8bd206c0b6244b92c70eb96018cd478f68f1510a30256635bc94bf
                                                        • Opcode Fuzzy Hash: 4c7658d9315715136221bafb1fa4f87b72784992d0bd5ee4d3907e36ff112bf6
                                                        • Instruction Fuzzy Hash: 105171B24083465BC724EB94D8869DFBBECBFC5340F00492EF689D3151EE75A588C766
                                                        Function 005CB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00549CB3: _wcslen.LIBCMT ref: 00549CBD
                                                          • Part of subcall function 005CC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,005CB6AE,?,?), ref: 005CC9B5
                                                          • Part of subcall function 005CC998: _wcslen.LIBCMT ref: 005CC9F1
                                                          • Part of subcall function 005CC998: _wcslen.LIBCMT ref: 005CCA68
                                                          • Part of subcall function 005CC998: _wcslen.LIBCMT ref: 005CCA9E
                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 005CBAA5
                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 005CBB00
                                                        • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 005CBB63
                                                        • RegCloseKey.ADVAPI32(?,?), ref: 005CBBA6
                                                        • RegCloseKey.ADVAPI32(00000000), ref: 005CBBB3
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
                                                        • String ID:
                                                        • API String ID: 826366716-0
                                                        • Opcode ID: 3299f2172ebd7fdc10e99fa584486b69bedd62ca102dbec76ab8a3868eea5865
                                                        • Instruction ID: 24707bb2bf9c88a27b2bd9c990da1af4981fcd50dffda31a59e6f91a3f1fe4d2
                                                        • Opcode Fuzzy Hash: 3299f2172ebd7fdc10e99fa584486b69bedd62ca102dbec76ab8a3868eea5865
                                                        • Instruction Fuzzy Hash: E6616C31208242AFD714DF54C895F6ABBE5FF84308F14895DF49A8B2A2DB31ED45CB92
                                                        Function 005A8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • VariantInit.OLEAUT32(?), ref: 005A8BCD
                                                        • VariantClear.OLEAUT32 ref: 005A8C3E
                                                        • VariantClear.OLEAUT32 ref: 005A8C9D
                                                        • VariantClear.OLEAUT32(?), ref: 005A8D10
                                                        • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 005A8D3B
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Variant$Clear$ChangeInitType
                                                        • String ID:
                                                        • API String ID: 4136290138-0
                                                        • Opcode ID: 14a669672e5dfa192e982e790d90a25b4f906d4fcde80d79120fdbcf494c2957
                                                        • Instruction ID: 7d98c0d6c7f0af809beb536a7112fa11e560897305e8b28ccf62ca834743227c
                                                        • Opcode Fuzzy Hash: 14a669672e5dfa192e982e790d90a25b4f906d4fcde80d79120fdbcf494c2957
                                                        • Instruction Fuzzy Hash: CD515DB5A0061AEFCB14CF58C894AAABBF9FF89314B15855AF905DB350E730E911CF90
                                                        Function 005B8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 005B8BAE
                                                        • GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 005B8BDA
                                                        • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 005B8C32
                                                        • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 005B8C57
                                                        • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 005B8C5F
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: PrivateProfile$SectionWrite$String
                                                        • String ID:
                                                        • API String ID: 2832842796-0
                                                        • Opcode ID: 92e2068a8d23a4218b5103613f8367136f0c611fe79329a68525730efe66948c
                                                        • Instruction ID: 9371b1176cbd62a6dd6a83eb016e73f98e0695ada4eabe465d7e77b6341b9588
                                                        • Opcode Fuzzy Hash: 92e2068a8d23a4218b5103613f8367136f0c611fe79329a68525730efe66948c
                                                        • Instruction Fuzzy Hash: 26513975A00219DFCB14DF64C885AA9BFF5FF88318F088459E849AB362DB35ED45CB90
                                                        Function 005C8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryW.KERNEL32(?,00000000,?), ref: 005C8F40
                                                        • GetProcAddress.KERNEL32(00000000,?), ref: 005C8FD0
                                                        • GetProcAddress.KERNEL32(00000000,00000000), ref: 005C8FEC
                                                        • GetProcAddress.KERNEL32(00000000,?), ref: 005C9032
                                                        • FreeLibrary.KERNEL32(00000000), ref: 005C9052
                                                          • Part of subcall function 0055F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,005B1043,?,7644E610), ref: 0055F6E6
                                                          • Part of subcall function 0055F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0059FA64,00000000,00000000,?,?,005B1043,?,7644E610,?,0059FA64), ref: 0055F70D
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
                                                        • String ID:
                                                        • API String ID: 666041331-0
                                                        • Opcode ID: 3415ff69332b79918deb992e32efd93cce027f03519cec8b252b439ef1031ab8
                                                        • Instruction ID: 54f567918929f3ea91886322a58289ad63ebf74b53bd5c0bd8508c611bd2f17e
                                                        • Opcode Fuzzy Hash: 3415ff69332b79918deb992e32efd93cce027f03519cec8b252b439ef1031ab8
                                                        • Instruction Fuzzy Hash: 5451F835605216DFC715DF98C499DE9BFB1FF89314B048099E809AB362DB31ED85CB90
                                                        Function 005D6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetWindowLongW.USER32(00000002,000000F0,?), ref: 005D6C33
                                                        • SetWindowLongW.USER32(?,000000EC,?), ref: 005D6C4A
                                                        • SendMessageW.USER32(00000002,00001036,00000000,?), ref: 005D6C73
                                                        • ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,005BAB79,00000000,00000000), ref: 005D6C98
                                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 005D6CC7
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Window$Long$MessageSendShow
                                                        • String ID:
                                                        • API String ID: 3688381893-0
                                                        • Opcode ID: 99d9b86f3b27d2d821d0d2b6964fc33271fcbdb45f9d540226bf065d35b4df39
                                                        • Instruction ID: c856ca0a2c5b9767d5ed1a18a1384281d9779907e94e8adc6537d6faf47cf48e
                                                        • Opcode Fuzzy Hash: 99d9b86f3b27d2d821d0d2b6964fc33271fcbdb45f9d540226bf065d35b4df39
                                                        • Instruction Fuzzy Hash: 6741AC35A14104AFDB34CF2CCC58BA97FA5FB09360F15066BE999AB3A0C771ED42DA40
                                                        Function 00572051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: _free
                                                        • String ID:
                                                        • API String ID: 269201875-0
                                                        • Opcode ID: 040671808065c04629210e1b8d44fe8254aed6ca70538a56f34033d8646ddda2
                                                        • Instruction ID: 45e7c7ea4fa9544de9954af39557d4a576043a9ab5c2c91e46cf1f04f22ca350
                                                        • Opcode Fuzzy Hash: 040671808065c04629210e1b8d44fe8254aed6ca70538a56f34033d8646ddda2
                                                        • Instruction Fuzzy Hash: F6410432A002009FCB20DF78D885A5EBBF5FF89314F158569EA19EB351D731AD01DB90
                                                        Function 0055912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetCursorPos.USER32(?), ref: 00559141
                                                        • ScreenToClient.USER32(00000000,?), ref: 0055915E
                                                        • GetAsyncKeyState.USER32(00000001), ref: 00559183
                                                        • GetAsyncKeyState.USER32(00000002), ref: 0055919D
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: AsyncState$ClientCursorScreen
                                                        • String ID:
                                                        • API String ID: 4210589936-0
                                                        • Opcode ID: 3416e5cbfdc7a7c57b1b501c5df65a6c7dadbed9bd7c29d99ade18f514309f3b
                                                        • Instruction ID: ac36810d6e1faa92d1cbc0b42f4977856b47012a0244c1fa15f96c64f04eb68e
                                                        • Opcode Fuzzy Hash: 3416e5cbfdc7a7c57b1b501c5df65a6c7dadbed9bd7c29d99ade18f514309f3b
                                                        • Instruction Fuzzy Hash: C441603190861BFBDF159F68C858BEEBB74FB49321F20421BE825A7290C7345D54DB91
                                                        Function 005B3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetInputState.USER32 ref: 005B38CB
                                                        • TranslateAcceleratorW.USER32(?,00000000,?), ref: 005B3922
                                                        • TranslateMessage.USER32(?), ref: 005B394B
                                                        • DispatchMessageW.USER32(?), ref: 005B3955
                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 005B3966
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Message$Translate$AcceleratorDispatchInputPeekState
                                                        • String ID:
                                                        • API String ID: 2256411358-0
                                                        • Opcode ID: 4e1f4637c29ca5500fe1210633ff72d410cba659a4d8bdb6230176045457883b
                                                        • Instruction ID: ec9742f35cc94d299d0660f3ab1049dc323b80e7b18e9792ceae99832389e101
                                                        • Opcode Fuzzy Hash: 4e1f4637c29ca5500fe1210633ff72d410cba659a4d8bdb6230176045457883b
                                                        • Instruction Fuzzy Hash: 5D31D770505346AEEB35CF349849BF63FA9FB16300F08456FE562E60A0E7B4B685CB11
                                                        Function 005BCF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,005BC21E,00000000), ref: 005BCF38
                                                        • InternetReadFile.WININET(?,00000000,?,?), ref: 005BCF6F
                                                        • GetLastError.KERNEL32(?,00000000,?,?,?,005BC21E,00000000), ref: 005BCFB4
                                                        • SetEvent.KERNEL32(?,?,00000000,?,?,?,005BC21E,00000000), ref: 005BCFC8
                                                        • SetEvent.KERNEL32(?,?,00000000,?,?,?,005BC21E,00000000), ref: 005BCFF2
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: EventInternet$AvailableDataErrorFileLastQueryRead
                                                        • String ID:
                                                        • API String ID: 3191363074-0
                                                        • Opcode ID: 4857d1dfcbe2967f4e77c6edbcad9f98d4920af1c34c4c6b3482d89863b8ac4c
                                                        • Instruction ID: 30206e68cc38297f9893d679fbdb444b41305305cfca32f003c70f74a460078c
                                                        • Opcode Fuzzy Hash: 4857d1dfcbe2967f4e77c6edbcad9f98d4920af1c34c4c6b3482d89863b8ac4c
                                                        • Instruction Fuzzy Hash: 83314971A00606AFDB20DFA5C885ABBBFF9FB14355B1044AEF546D2241EB30BE44DB64
                                                        Function 005A1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetWindowRect.USER32(?,?), ref: 005A1915
                                                        • PostMessageW.USER32(00000001,00000201,00000001), ref: 005A19C1
                                                        • Sleep.KERNEL32(00000000,?,?,?), ref: 005A19C9
                                                        • PostMessageW.USER32(00000001,00000202,00000000), ref: 005A19DA
                                                        • Sleep.KERNEL32(00000000,?,?,?,?), ref: 005A19E2
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: MessagePostSleep$RectWindow
                                                        • String ID:
                                                        • API String ID: 3382505437-0
                                                        • Opcode ID: 3ef64f050fa14c4e39cab7339651827c075ab3aec25e86c41b19a6bf61d40fe7
                                                        • Instruction ID: d72474caa0ef29ff45300afc9adbf6d1f98aec9950795273f4df629417209e83
                                                        • Opcode Fuzzy Hash: 3ef64f050fa14c4e39cab7339651827c075ab3aec25e86c41b19a6bf61d40fe7
                                                        • Instruction Fuzzy Hash: 2631BF71A0021AEFCB10CFA8CD99ADE3FB5FB55315F10422AF921AB2D1C7709944DB90
                                                        Function 005D5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageW.USER32(?,00001053,000000FF,?), ref: 005D5745
                                                        • SendMessageW.USER32(?,00001074,?,00000001), ref: 005D579D
                                                        • _wcslen.LIBCMT ref: 005D57AF
                                                        • _wcslen.LIBCMT ref: 005D57BA
                                                        • SendMessageW.USER32(?,00001002,00000000,?), ref: 005D5816
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$_wcslen
                                                        • String ID:
                                                        • API String ID: 763830540-0
                                                        • Opcode ID: aa99be56b81bcc69bacf75cd5d846f3b0046bbed7b870bf037c9e34cd792b75d
                                                        • Instruction ID: b72216e8e5ea2ee01dcff17be55f1dc5bdbe3c1a5117961f5bf30666bb8c2fb1
                                                        • Opcode Fuzzy Hash: aa99be56b81bcc69bacf75cd5d846f3b0046bbed7b870bf037c9e34cd792b75d
                                                        • Instruction Fuzzy Hash: A2219E31904618DADB308FA8CC84AEE7FB8FF54360F108617E929EB280E7708985CF50
                                                        Function 005C0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • IsWindow.USER32(00000000), ref: 005C0951
                                                        • GetForegroundWindow.USER32 ref: 005C0968
                                                        • GetDC.USER32(00000000), ref: 005C09A4
                                                        • GetPixel.GDI32(00000000,?,00000003), ref: 005C09B0
                                                        • ReleaseDC.USER32(00000000,00000003), ref: 005C09E8
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Window$ForegroundPixelRelease
                                                        • String ID:
                                                        • API String ID: 4156661090-0
                                                        • Opcode ID: fc8f145fc008855a734d802be0a0a83ad97773ad6830c4496f0b0ac6dd27fb46
                                                        • Instruction ID: f66388c101c4d75bc76228d288cefacf0dbd06e2dbb6a29c211b997965848af6
                                                        • Opcode Fuzzy Hash: fc8f145fc008855a734d802be0a0a83ad97773ad6830c4496f0b0ac6dd27fb46
                                                        • Instruction Fuzzy Hash: 45215E35600215AFD754EF69C989AAEBFE9FF84700F04846EE84A97352DA30EC08DB50
                                                        Function 0057CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetEnvironmentStringsW.KERNEL32 ref: 0057CDC6
                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0057CDE9
                                                          • Part of subcall function 00573820: RtlAllocateHeap.NTDLL(00000000,?,00611444,?,0055FDF5,?,?,0054A976,00000010,00611440,005413FC,?,005413C6,?,00541129), ref: 00573852
                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0057CE0F
                                                        • _free.LIBCMT ref: 0057CE22
                                                        • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0057CE31
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                        • String ID:
                                                        • API String ID: 336800556-0
                                                        • Opcode ID: 6d666091638620d0bedd2cdd1cac29722ca1a55a43d6080c9b4c5dcf27988d1a
                                                        • Instruction ID: 75224eebb94b34242137f98f44043d4f1cae5c6f2cb42f29d07b54f3fe56583b
                                                        • Opcode Fuzzy Hash: 6d666091638620d0bedd2cdd1cac29722ca1a55a43d6080c9b4c5dcf27988d1a
                                                        • Instruction Fuzzy Hash: 180175726026167F272256B67C4CD7B6E6DFBC6BA1315812EFD09C7201DA618D01F1B0
                                                        Function 00559639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00559693
                                                        • SelectObject.GDI32(?,00000000), ref: 005596A2
                                                        • BeginPath.GDI32(?), ref: 005596B9
                                                        • SelectObject.GDI32(?,00000000), ref: 005596E2
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: ObjectSelect$BeginCreatePath
                                                        • String ID:
                                                        • API String ID: 3225163088-0
                                                        • Opcode ID: fe6c9a52dc42171b7063fb57059c192e0a330818e89d954792d250729011419b
                                                        • Instruction ID: e334b7d1f06dc22ae16503419257fef17edd634927f846b31b57df6ed4eed53f
                                                        • Opcode Fuzzy Hash: fe6c9a52dc42171b7063fb57059c192e0a330818e89d954792d250729011419b
                                                        • Instruction Fuzzy Hash: AE21C53080234AEFDB108F64DC287E93FA6BB11312F148617F9209A1B0D378588DDF90
                                                        Function 005A5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: _memcmp
                                                        • String ID:
                                                        • API String ID: 2931989736-0
                                                        • Opcode ID: 67db861b2ffead4b89927eab8356b95df1f3dcc0a34122a531f371997661bb9c
                                                        • Instruction ID: 7545bd5df7abafb88f9cb26611afba037c084087003fb7f2a4f19e01743d465e
                                                        • Opcode Fuzzy Hash: 67db861b2ffead4b89927eab8356b95df1f3dcc0a34122a531f371997661bb9c
                                                        • Instruction Fuzzy Hash: 97019671745A15FBE21855149D42EBE7F5CFB623E4B044822FE16AB741F770ED1083A4
                                                        Function 00572DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLastError.KERNEL32(?,?,?,0056F2DE,00573863,00611444,?,0055FDF5,?,?,0054A976,00000010,00611440,005413FC,?,005413C6), ref: 00572DFD
                                                        • _free.LIBCMT ref: 00572E32
                                                        • _free.LIBCMT ref: 00572E59
                                                        • SetLastError.KERNEL32(00000000,00541129), ref: 00572E66
                                                        • SetLastError.KERNEL32(00000000,00541129), ref: 00572E6F
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast$_free
                                                        • String ID:
                                                        • API String ID: 3170660625-0
                                                        • Opcode ID: c924390b24dac96faced7cb4d66af16ed305415758fde6ce627071d93f2816b4
                                                        • Instruction ID: 45a162c999b9c08bfd52c9384d78d7181287f5b78ccd6451b95788049114b883
                                                        • Opcode Fuzzy Hash: c924390b24dac96faced7cb4d66af16ed305415758fde6ce627071d93f2816b4
                                                        • Instruction Fuzzy Hash: 6B01D6365456026BC71227387C49D3B2E5EBBD5371F25C529FC2D921D3EA608C457020
                                                        Function 005A000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0059FF41,80070057,?,?,?,005A035E), ref: 005A002B
                                                        • ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0059FF41,80070057,?,?), ref: 005A0046
                                                        • lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0059FF41,80070057,?,?), ref: 005A0054
                                                        • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0059FF41,80070057,?), ref: 005A0064
                                                        • CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0059FF41,80070057,?,?), ref: 005A0070
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: From$Prog$FreeStringTasklstrcmpi
                                                        • String ID:
                                                        • API String ID: 3897988419-0
                                                        • Opcode ID: 6f1fd9767fba27710c4ea9157ff814d34a562da8efc0ec066ec543d68518edf6
                                                        • Instruction ID: a9430111e125206e77d3e66f8577889cca31b6884fd4f4dcea7c80b54f4950bf
                                                        • Opcode Fuzzy Hash: 6f1fd9767fba27710c4ea9157ff814d34a562da8efc0ec066ec543d68518edf6
                                                        • Instruction Fuzzy Hash: 8601B472611205ABDB204F69DC08FAE7FAEFB48392F105126F901D2250EBB0DD04ABA0
                                                        Function 005A10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 005A1114
                                                        • GetLastError.KERNEL32(?,00000000,00000000,?,?,005A0B9B,?,?,?), ref: 005A1120
                                                        • GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,005A0B9B,?,?,?), ref: 005A112F
                                                        • HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,005A0B9B,?,?,?), ref: 005A1136
                                                        • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 005A114D
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                        • String ID:
                                                        • API String ID: 842720411-0
                                                        • Opcode ID: 75d0a50f7274f03439b2b8a4a1545dc999763bdfeaea616d96220ac132ea0d6a
                                                        • Instruction ID: 4da2cd073379d99969a94e1eae20fa11afda3e293aa7675b871a3649846caaf2
                                                        • Opcode Fuzzy Hash: 75d0a50f7274f03439b2b8a4a1545dc999763bdfeaea616d96220ac132ea0d6a
                                                        • Instruction Fuzzy Hash: 94016975201616BFDB214FA4DC49A6A3F6EFF8A3A4B20041AFA41C3360DA31DC40EA60
                                                        Function 005A0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 005A0FCA
                                                        • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 005A0FD6
                                                        • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 005A0FE5
                                                        • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 005A0FEC
                                                        • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 005A1002
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: HeapInformationToken$AllocErrorLastProcess
                                                        • String ID:
                                                        • API String ID: 44706859-0
                                                        • Opcode ID: be94b06e961c7f98eb5b484581a2c6aa72892233e2fff65f1c49aed67cade4a4
                                                        • Instruction ID: 0f7593ecc188e29cc3ad5fb5e05e6e8492194b8cd27cbb5ba805d98d07406f64
                                                        • Opcode Fuzzy Hash: be94b06e961c7f98eb5b484581a2c6aa72892233e2fff65f1c49aed67cade4a4
                                                        • Instruction Fuzzy Hash: F7F0A935201312EBDB210FA59C4DF5A3FADFF9A762F100416FA05C6290DA30DC40DA60
                                                        Function 005A1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 005A102A
                                                        • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 005A1036
                                                        • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 005A1045
                                                        • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 005A104C
                                                        • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 005A1062
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: HeapInformationToken$AllocErrorLastProcess
                                                        • String ID:
                                                        • API String ID: 44706859-0
                                                        • Opcode ID: e973fa2342a68ef9268c3eb69dd84d4978f29ff8f61d5078055f2ed21f61377a
                                                        • Instruction ID: e6b8e1845f03387b63506b4c7cd1b42ec8a43e615c3b92123f6e24455ed4339d
                                                        • Opcode Fuzzy Hash: e973fa2342a68ef9268c3eb69dd84d4978f29ff8f61d5078055f2ed21f61377a
                                                        • Instruction Fuzzy Hash: 6EF0CD35201312EBDB211FA6EC4CF5A3FADFF9A761F100416FA05C7290CA70D840DA60
                                                        Function 005B030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CloseHandle.KERNEL32(?,?,?,?,005B017D,?,005B32FC,?,00000001,00582592,?), ref: 005B0324
                                                        • CloseHandle.KERNEL32(?,?,?,?,005B017D,?,005B32FC,?,00000001,00582592,?), ref: 005B0331
                                                        • CloseHandle.KERNEL32(?,?,?,?,005B017D,?,005B32FC,?,00000001,00582592,?), ref: 005B033E
                                                        • CloseHandle.KERNEL32(?,?,?,?,005B017D,?,005B32FC,?,00000001,00582592,?), ref: 005B034B
                                                        • CloseHandle.KERNEL32(?,?,?,?,005B017D,?,005B32FC,?,00000001,00582592,?), ref: 005B0358
                                                        • CloseHandle.KERNEL32(?,?,?,?,005B017D,?,005B32FC,?,00000001,00582592,?), ref: 005B0365
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: CloseHandle
                                                        • String ID:
                                                        • API String ID: 2962429428-0
                                                        • Opcode ID: 8ed2b3b3eca81b9df78e7a19fb5c9428eedd207800e52c1b767373494072f1da
                                                        • Instruction ID: 02a5b15cd86aeeb465d8bbc20c67fff8e2a39414e19f95332b161f859ea8b630
                                                        • Opcode Fuzzy Hash: 8ed2b3b3eca81b9df78e7a19fb5c9428eedd207800e52c1b767373494072f1da
                                                        • Instruction Fuzzy Hash: A701D872800B058FCB30AF6AD880847FBF9BE602063049E3FD19252970C3B0B988CE80
                                                        Function 0057D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • _free.LIBCMT ref: 0057D752
                                                          • Part of subcall function 005729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0057D7D1,00000000,00000000,00000000,00000000,?,0057D7F8,00000000,00000007,00000000,?,0057DBF5,00000000), ref: 005729DE
                                                          • Part of subcall function 005729C8: GetLastError.KERNEL32(00000000,?,0057D7D1,00000000,00000000,00000000,00000000,?,0057D7F8,00000000,00000007,00000000,?,0057DBF5,00000000,00000000), ref: 005729F0
                                                        • _free.LIBCMT ref: 0057D764
                                                        • _free.LIBCMT ref: 0057D776
                                                        • _free.LIBCMT ref: 0057D788
                                                        • _free.LIBCMT ref: 0057D79A
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: _free$ErrorFreeHeapLast
                                                        • String ID:
                                                        • API String ID: 776569668-0
                                                        • Opcode ID: 734d3bb82bd5df573146ead051933dd36697b064b963204032637e37184b0928
                                                        • Instruction ID: cbf94719ed48ea2758eaf06b3ecd9588fd6ba6fbfd16fefb14e1077d3702dab4
                                                        • Opcode Fuzzy Hash: 734d3bb82bd5df573146ead051933dd36697b064b963204032637e37184b0928
                                                        • Instruction Fuzzy Hash: EBF0C932584205ABC625AB68F985916BFFAFB84720F989905F14DE7542C624FCC09674
                                                        Function 005A5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetDlgItem.USER32(?,000003E9), ref: 005A5C58
                                                        • GetWindowTextW.USER32(00000000,?,00000100), ref: 005A5C6F
                                                        • MessageBeep.USER32(00000000), ref: 005A5C87
                                                        • KillTimer.USER32(?,0000040A), ref: 005A5CA3
                                                        • EndDialog.USER32(?,00000001), ref: 005A5CBD
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                        • String ID:
                                                        • API String ID: 3741023627-0
                                                        • Opcode ID: bf70a7332b2bd7a2d2afefdbdb13070e910f3fa2cb0a3cad27e023609bf6c8f9
                                                        • Instruction ID: 31cd5b0735dd23db4dba6ef54e730dbf793e814fa94a71f4cdfc34a51b621c00
                                                        • Opcode Fuzzy Hash: bf70a7332b2bd7a2d2afefdbdb13070e910f3fa2cb0a3cad27e023609bf6c8f9
                                                        • Instruction Fuzzy Hash: 95018B305017059BEB305B14ED5EF9A7FB8FB11705F00165BA543614E1E7F49D48DA50
                                                        Function 005722A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _free.LIBCMT ref: 005722BE
                                                          • Part of subcall function 005729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0057D7D1,00000000,00000000,00000000,00000000,?,0057D7F8,00000000,00000007,00000000,?,0057DBF5,00000000), ref: 005729DE
                                                          • Part of subcall function 005729C8: GetLastError.KERNEL32(00000000,?,0057D7D1,00000000,00000000,00000000,00000000,?,0057D7F8,00000000,00000007,00000000,?,0057DBF5,00000000,00000000), ref: 005729F0
                                                        • _free.LIBCMT ref: 005722D0
                                                        • _free.LIBCMT ref: 005722E3
                                                        • _free.LIBCMT ref: 005722F4
                                                        • _free.LIBCMT ref: 00572305
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: _free$ErrorFreeHeapLast
                                                        • String ID:
                                                        • API String ID: 776569668-0
                                                        • Opcode ID: a0ac87a1613d7c135a218a1cbca88fcae1999d7aec82ad2d26ffb0def326fac7
                                                        • Instruction ID: a5b0efab6f35c4c367e51f7e16e28d009bfc3ee2667d788f9a19a081e4ef165b
                                                        • Opcode Fuzzy Hash: a0ac87a1613d7c135a218a1cbca88fcae1999d7aec82ad2d26ffb0def326fac7
                                                        • Instruction Fuzzy Hash: 3AF030744411118BCB12AF65BC068897F67B719760F0DE607F51CD72B1C77506D2BBA4
                                                        Function 005595C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • EndPath.GDI32(?), ref: 005595D4
                                                        • StrokeAndFillPath.GDI32(?,?,005971F7,00000000,?,?,?), ref: 005595F0
                                                        • SelectObject.GDI32(?,00000000), ref: 00559603
                                                        • DeleteObject.GDI32 ref: 00559616
                                                        • StrokePath.GDI32(?), ref: 00559631
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Path$ObjectStroke$DeleteFillSelect
                                                        • String ID:
                                                        • API String ID: 2625713937-0
                                                        • Opcode ID: fde154ed55e60ace17657bda7b7fd7499d4cb69430b700af05449617a3f66727
                                                        • Instruction ID: 31479a413a6931bc23802f748c788009e92058e055e58b83206e9443363f6a87
                                                        • Opcode Fuzzy Hash: fde154ed55e60ace17657bda7b7fd7499d4cb69430b700af05449617a3f66727
                                                        • Instruction Fuzzy Hash: 03F03134006249DBDB225F55ED1C7A83F62BB12322F08D617F925590F0C734855DDF60
                                                        Function 00570F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: __freea$_free
                                                        • String ID: a/p$am/pm
                                                        • API String ID: 3432400110-3206640213
                                                        • Opcode ID: 799fc7a937f394fcdea21743d796c2dedff3e59a9feb5897b6f78797f841c3a2
                                                        • Instruction ID: a9c5d6c2b3b212f955c8c4a94466cb1722db0c0a031f09b4f5eab6f8223ae8c7
                                                        • Opcode Fuzzy Hash: 799fc7a937f394fcdea21743d796c2dedff3e59a9feb5897b6f78797f841c3a2
                                                        • Instruction Fuzzy Hash: 7BD11475910A06CBDB248F6CE899BFABFB1FF05300F248919E509AB641D3359D80EB59
                                                        Function 005C61D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00560242: EnterCriticalSection.KERNEL32(0061070C,00611884,?,?,0055198B,00612518,?,?,?,005412F9,00000000), ref: 0056024D
                                                          • Part of subcall function 00560242: LeaveCriticalSection.KERNEL32(0061070C,?,0055198B,00612518,?,?,?,005412F9,00000000), ref: 0056028A
                                                          • Part of subcall function 005600A3: __onexit.LIBCMT ref: 005600A9
                                                        • __Init_thread_footer.LIBCMT ref: 005C6238
                                                          • Part of subcall function 005601F8: EnterCriticalSection.KERNEL32(0061070C,?,?,00558747,00612514), ref: 00560202
                                                          • Part of subcall function 005601F8: LeaveCriticalSection.KERNEL32(0061070C,?,00558747,00612514), ref: 00560235
                                                          • Part of subcall function 005B359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 005B35E4
                                                          • Part of subcall function 005B359C: LoadStringW.USER32(00612390,?,00000FFF,?), ref: 005B360A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
                                                        • String ID: x#a$x#a$x#a
                                                        • API String ID: 1072379062-3060519877
                                                        • Opcode ID: 613e7163cdc7602e93fc27e409bfdbe61e73ae6aa60395bd61154e64b4f526d6
                                                        • Instruction ID: ec5994a2d2c1ee25688f7847fef3a136e4422c6c1a81c562344efbf89bcf21a0
                                                        • Opcode Fuzzy Hash: 613e7163cdc7602e93fc27e409bfdbe61e73ae6aa60395bd61154e64b4f526d6
                                                        • Instruction Fuzzy Hash: CAC14D75A00106AFCB14DF98C895EAEBBB9FF48300F14846EE9559B291DB70EE45CB90
                                                        Function 00575AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: JOT
                                                        • API String ID: 0-2578126627
                                                        • Opcode ID: dda7378bfef9d52616dfc64efb7bcac7c969fdd0d5beeba59b59099dc2ab4a82
                                                        • Instruction ID: 1d98de578ad8f4c25e80ba4ecffc04d917135478e126a767207e0543217d082e
                                                        • Opcode Fuzzy Hash: dda7378bfef9d52616dfc64efb7bcac7c969fdd0d5beeba59b59099dc2ab4a82
                                                        • Instruction Fuzzy Hash: FF51DF75D0060A9FCB219FA4E849FBE7FB8FF45310F14805AF409A7291E7B19901EB61
                                                        Function 00578A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00578B6E
                                                        • GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00578B7A
                                                        • __dosmaperr.LIBCMT ref: 00578B81
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: ByteCharErrorLastMultiWide__dosmaperr
                                                        • String ID: .V
                                                        • API String ID: 2434981716-732867087
                                                        • Opcode ID: ee1fec47361f01666ce3fee8f21cf2b02bf241b3c378a2e518d8e10f84ff8f38
                                                        • Instruction ID: f8c4109a5bf4c3d14e67c6a56a98a3eca7e9e2398cd84dd68cfa49a8f0568623
                                                        • Opcode Fuzzy Hash: ee1fec47361f01666ce3fee8f21cf2b02bf241b3c378a2e518d8e10f84ff8f38
                                                        • Instruction Fuzzy Hash: 04418C70604045AFDB249F25EC99A797FA6FB85310F2CC5AAF88D87642DE318C02A790
                                                        Function 005A2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 005AB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,005A21D0,?,?,00000034,00000800,?,00000034), ref: 005AB42D
                                                        • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 005A2760
                                                          • Part of subcall function 005AB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,005A21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 005AB3F8
                                                          • Part of subcall function 005AB32A: GetWindowThreadProcessId.USER32(?,?), ref: 005AB355
                                                          • Part of subcall function 005AB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,005A2194,00000034,?,?,00001004,00000000,00000000), ref: 005AB365
                                                          • Part of subcall function 005AB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,005A2194,00000034,?,?,00001004,00000000,00000000), ref: 005AB37B
                                                        • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 005A27CD
                                                        • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 005A281A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                        • String ID: @
                                                        • API String ID: 4150878124-2766056989
                                                        • Opcode ID: 9041ee3c8cc634e062da96945995d6c7525111c9e85d09920e384250fb909189
                                                        • Instruction ID: f92cf4888b2c7c19b9c44342d6edf5e29a6089a145506bb69895c85488bb408c
                                                        • Opcode Fuzzy Hash: 9041ee3c8cc634e062da96945995d6c7525111c9e85d09920e384250fb909189
                                                        • Instruction Fuzzy Hash: E7411D72900219AFDF10DBA8CD46ADEBBB8FF4A700F104059FA55B7181DB706E45CBA1
                                                        Function 0057172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00571769
                                                        • _free.LIBCMT ref: 00571834
                                                        • _free.LIBCMT ref: 0057183E
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: _free$FileModuleName
                                                        • String ID: C:\Users\user\Desktop\file.exe
                                                        • API String ID: 2506810119-3695852857
                                                        • Opcode ID: c52c44f6a91d3e8c4d92a6468c46ac62f58effd64368d696e457eb7cd5af168f
                                                        • Instruction ID: 08f3b3722aed24c507e49ee41d43404747d97d3c21acbf3abdca60ed7ffdd5fa
                                                        • Opcode Fuzzy Hash: c52c44f6a91d3e8c4d92a6468c46ac62f58effd64368d696e457eb7cd5af168f
                                                        • Instruction Fuzzy Hash: 8D31BF71A00619ABCB25DF99A885D9EBFBCFB85310F148166E90897211D6708A80EB95
                                                        Function 005AC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 005AC306
                                                        • DeleteMenu.USER32(?,00000007,00000000), ref: 005AC34C
                                                        • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00611990,00EA4AB8), ref: 005AC395
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Menu$Delete$InfoItem
                                                        • String ID: 0
                                                        • API String ID: 135850232-4108050209
                                                        • Opcode ID: 49b7ef24489901bb72ae61b1556c90f8174f6149e917d7a053f8124e14f920da
                                                        • Instruction ID: 60dfc8f3a7ed5bee560762c8388c4054334c847558e14b406c8e8334933803ef
                                                        • Opcode Fuzzy Hash: 49b7ef24489901bb72ae61b1556c90f8174f6149e917d7a053f8124e14f920da
                                                        • Instruction Fuzzy Hash: 2B4180312083029FDB24DF25D845B5EBFE8BF86310F148A5EF9A597291D770A904CB52
                                                        Function 005D4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,005DCC08,00000000,?,?,?,?), ref: 005D44AA
                                                        • GetWindowLongW.USER32 ref: 005D44C7
                                                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 005D44D7
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Window$Long
                                                        • String ID: SysTreeView32
                                                        • API String ID: 847901565-1698111956
                                                        • Opcode ID: 8400c4bcccbf4a224842594dc6c9b988ce6ea5c317a8c865397c08880039d1ec
                                                        • Instruction ID: db032cdf659c8a5f82f3de3674aa3506ada050f0365365026e493c0e8a01f6af
                                                        • Opcode Fuzzy Hash: 8400c4bcccbf4a224842594dc6c9b988ce6ea5c317a8c865397c08880039d1ec
                                                        • Instruction Fuzzy Hash: A4317E31210206AFDF208E38DC49BEA7BA9FB49324F204717F975922E0D774EC949B50
                                                        Function 005A6E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SysReAllocString.OLEAUT32(?,?), ref: 005A6EED
                                                        • VariantCopyInd.OLEAUT32(?,?), ref: 005A6F08
                                                        • VariantClear.OLEAUT32(?), ref: 005A6F12
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Variant$AllocClearCopyString
                                                        • String ID: *jZ
                                                        • API String ID: 2173805711-3728155107
                                                        • Opcode ID: 550e8a7026771a09a68493a306a315406ac6aa0c707886663ed2966f8a2d2c46
                                                        • Instruction ID: 7a51ac625d73d0b05c2c44a8ded4adfb3a53fb2b03e825ea768cae8a1f451494
                                                        • Opcode Fuzzy Hash: 550e8a7026771a09a68493a306a315406ac6aa0c707886663ed2966f8a2d2c46
                                                        • Instruction Fuzzy Hash: 2E31C272604216DFCB04AFA4E8559FE7FB6FF86304B140899F8024B2A1C730D956DBE0
                                                        Function 005C304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 005C335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,005C3077,?,?), ref: 005C3378
                                                        • inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 005C307A
                                                        • _wcslen.LIBCMT ref: 005C309B
                                                        • htons.WSOCK32(00000000,?,?,00000000), ref: 005C3106
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: ByteCharMultiWide_wcslenhtonsinet_addr
                                                        • String ID: 255.255.255.255
                                                        • API String ID: 946324512-2422070025
                                                        • Opcode ID: 810a3ee0e27f4afe91cc86fd1fe6793913213971ff2087ddbb4e2baef3995355
                                                        • Instruction ID: 61faf7e6a638df4adc03fceb507feb793ec3ca3a76abe0d33303346de51c030e
                                                        • Opcode Fuzzy Hash: 810a3ee0e27f4afe91cc86fd1fe6793913213971ff2087ddbb4e2baef3995355
                                                        • Instruction Fuzzy Hash: C431A23660020A9FC710CFA8C489FAA7BE1FF54318F18C459E5159B392D772DE45C761
                                                        Function 005D3EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 005D3F40
                                                        • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 005D3F54
                                                        • SendMessageW.USER32(?,00001002,00000000,?), ref: 005D3F78
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$Window
                                                        • String ID: SysMonthCal32
                                                        • API String ID: 2326795674-1439706946
                                                        • Opcode ID: 8633e50941ddbf4477467375f97adc31d93357a0b173272737bf2396fd46d137
                                                        • Instruction ID: 4641709aed41f08c0e090cbf6458a90f41f38a15002d0a2fa8571f9a7a6f2edc
                                                        • Opcode Fuzzy Hash: 8633e50941ddbf4477467375f97adc31d93357a0b173272737bf2396fd46d137
                                                        • Instruction Fuzzy Hash: 5421AD3260021ABBDF218F54CC46FEA3F79FB88714F110216FA156B2D0D6B5A954CB90
                                                        Function 005D4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 005D4705
                                                        • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 005D4713
                                                        • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 005D471A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$DestroyWindow
                                                        • String ID: msctls_updown32
                                                        • API String ID: 4014797782-2298589950
                                                        • Opcode ID: 1d008f64ec3e66bb48f541d6776dafae272d5653d40d1bda6ef67486630caa88
                                                        • Instruction ID: fa79a493275aaaec858b2b29a312e276bd7f9b4c9d4b883601224015c3c09def
                                                        • Opcode Fuzzy Hash: 1d008f64ec3e66bb48f541d6776dafae272d5653d40d1bda6ef67486630caa88
                                                        • Instruction Fuzzy Hash: A1214FB5601205AFDB20DF68DCC5DA73BADFB9A394B04045BFA019B351CB31EC11CA60
                                                        Function 005A95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: _wcslen
                                                        • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                        • API String ID: 176396367-2734436370
                                                        • Opcode ID: 924735c1d6ca585091836a8b4ef8c37908fd11ffa0f9d0268d31177b11c08c3e
                                                        • Instruction ID: 4327224e1c0a928c808ed4431c0ceb64dba6f2dd8befe4ea807e9302f1177cc0
                                                        • Opcode Fuzzy Hash: 924735c1d6ca585091836a8b4ef8c37908fd11ffa0f9d0268d31177b11c08c3e
                                                        • Instruction Fuzzy Hash: FF21353260423266D331AA289C06FBF7F9CBFDA300F104427F94A97181EB51AD51C3E5
                                                        Function 005D37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 005D3840
                                                        • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 005D3850
                                                        • MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 005D3876
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: MessageSend$MoveWindow
                                                        • String ID: Listbox
                                                        • API String ID: 3315199576-2633736733
                                                        • Opcode ID: 32b294bb44d0fb48594f2909731821c9a69a088b02ef854092473de8519900cf
                                                        • Instruction ID: d354ed3552d6fbaf8b1a4d4ba0b8284808693590fe7dae6140c647f9e03158c8
                                                        • Opcode Fuzzy Hash: 32b294bb44d0fb48594f2909731821c9a69a088b02ef854092473de8519900cf
                                                        • Instruction Fuzzy Hash: C521B072611119BBEF218F58CC45FBB3B6AFF89750F108126F9049B290C671DD52D7A0
                                                        Function 005B49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetErrorMode.KERNEL32(00000001), ref: 005B4A08
                                                        • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 005B4A5C
                                                        • SetErrorMode.KERNEL32(00000000,?,?,005DCC08), ref: 005B4AD0
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: ErrorMode$InformationVolume
                                                        • String ID: %lu
                                                        • API String ID: 2507767853-685833217
                                                        • Opcode ID: 1a4de734e349014cb80930fafad57c707b6987594e1e2978fbf7dbd084ce0715
                                                        • Instruction ID: 4cc417d72854f1ecc08d1a27eaf8d8335cce0738596c8035ea1af6264090ab4c
                                                        • Opcode Fuzzy Hash: 1a4de734e349014cb80930fafad57c707b6987594e1e2978fbf7dbd084ce0715
                                                        • Instruction Fuzzy Hash: 84314C75A0021AAFDB20DF54C885EAE7BF9FF48308F1480A5E909DB252D771ED46CB61
                                                        Function 005D41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 005D424F
                                                        • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 005D4264
                                                        • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 005D4271
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: MessageSend
                                                        • String ID: msctls_trackbar32
                                                        • API String ID: 3850602802-1010561917
                                                        • Opcode ID: 4996e2b9745ee40f36a3d9a08ca584377ec48bafb8fcce8e66835fa635ddaeee
                                                        • Instruction ID: 19ca7e20893425c821f5d470e37e2ba49db5119798f61948db1174e088b83fc3
                                                        • Opcode Fuzzy Hash: 4996e2b9745ee40f36a3d9a08ca584377ec48bafb8fcce8e66835fa635ddaeee
                                                        • Instruction Fuzzy Hash: 5711CE31240208BFEF205E68CC06FAB3BA8FB95B64F114526FA55E61A0D671D811DB20
                                                        Function 005A2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00546B57: _wcslen.LIBCMT ref: 00546B6A
                                                          • Part of subcall function 005A2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 005A2DC5
                                                          • Part of subcall function 005A2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 005A2DD6
                                                          • Part of subcall function 005A2DA7: GetCurrentThreadId.KERNEL32 ref: 005A2DDD
                                                          • Part of subcall function 005A2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 005A2DE4
                                                        • GetFocus.USER32 ref: 005A2F78
                                                          • Part of subcall function 005A2DEE: GetParent.USER32(00000000), ref: 005A2DF9
                                                        • GetClassNameW.USER32(?,?,00000100), ref: 005A2FC3
                                                        • EnumChildWindows.USER32(?,005A303B), ref: 005A2FEB
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
                                                        • String ID: %s%d
                                                        • API String ID: 1272988791-1110647743
                                                        • Opcode ID: 4c87cacb252dd2226c974e3941826b1292145bd670c865d749168dec741086ce
                                                        • Instruction ID: deee6b2abd6a1a3b470fe79cb196531af783a7af97fd78db27c0abb77d8cc480
                                                        • Opcode Fuzzy Hash: 4c87cacb252dd2226c974e3941826b1292145bd670c865d749168dec741086ce
                                                        • Instruction Fuzzy Hash: CA11A5716002066BCF14BF649C8AEEE3F6ABFD5308F044076FD099B192DE309949DB61
                                                        Function 005D5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 005D58C1
                                                        • SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 005D58EE
                                                        • DrawMenuBar.USER32(?), ref: 005D58FD
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Menu$InfoItem$Draw
                                                        • String ID: 0
                                                        • API String ID: 3227129158-4108050209
                                                        • Opcode ID: c2abc4b62b7ac6501aa80658e136c5b5d69b680247fe3072a5606465b0c3d6bc
                                                        • Instruction ID: e6b0f32cea328c5a43bd480a69927b61c77208d9540337aef415d2b9126f5981
                                                        • Opcode Fuzzy Hash: c2abc4b62b7ac6501aa80658e136c5b5d69b680247fe3072a5606465b0c3d6bc
                                                        • Instruction Fuzzy Hash: 4A015E31500219EFDB619F15DC45BAEBFB8FB45361F10809BF849D6251EB308A84EF21
                                                        Function 0059D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 0059D3BF
                                                        • FreeLibrary.KERNEL32 ref: 0059D3E5
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: AddressFreeLibraryProc
                                                        • String ID: GetSystemWow64DirectoryW$X64
                                                        • API String ID: 3013587201-2590602151
                                                        • Opcode ID: ffef31af8717e5524d5365faf2221bffd1dd7acc2e148bb64219fce6811a43a9
                                                        • Instruction ID: 3e782dc5b956481027c4b54e92c08d7b26877fd1a2f97cbdf88c51d3d91365e2
                                                        • Opcode Fuzzy Hash: ffef31af8717e5524d5365faf2221bffd1dd7acc2e148bb64219fce6811a43a9
                                                        • Instruction Fuzzy Hash: FDF0E526806622DBDF7557204C689A93F74BF11702BA98D57EC02EA254DB20CD88D6B2
                                                        Function 005A007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: adc2a312e70f5ed5b4706f4b661b07fc420ba1099b293d0e7783c3744972da1c
                                                        • Instruction ID: bcf68971ef37ef37f59049ac58d87b844548f9ebaba0eab02a81e238679cb015
                                                        • Opcode Fuzzy Hash: adc2a312e70f5ed5b4706f4b661b07fc420ba1099b293d0e7783c3744972da1c
                                                        • Instruction Fuzzy Hash: 7FC18B75A1020AEFCB14CFA4C898BAEBBB5FF49314F209599E405EB291D731ED41DB90
                                                        Function 005C342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Variant$ClearInitInitializeUninitialize
                                                        • String ID:
                                                        • API String ID: 1998397398-0
                                                        • Opcode ID: 636531bfb8f0bf4ca9eacc203ebf9377958b97d69ca5aaff2a801676a75984df
                                                        • Instruction ID: 0ddc2f977bbc5cc2417354de2a50153d21e7ca653cc6adbb5895f5c110928d6b
                                                        • Opcode Fuzzy Hash: 636531bfb8f0bf4ca9eacc203ebf9377958b97d69ca5aaff2a801676a75984df
                                                        • Instruction Fuzzy Hash: 80A135756042159FCB10DF68C489E6ABBE5FF88714F04885DF98A9B362DB30EE05CB91
                                                        Function 005A0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,005DFC08,?), ref: 005A05F0
                                                        • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,005DFC08,?), ref: 005A0608
                                                        • CLSIDFromProgID.OLE32(?,?,00000000,005DCC40,000000FF,?,00000000,00000800,00000000,?,005DFC08,?), ref: 005A062D
                                                        • _memcmp.LIBVCRUNTIME ref: 005A064E
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: FromProg$FreeTask_memcmp
                                                        • String ID:
                                                        • API String ID: 314563124-0
                                                        • Opcode ID: 40a39a349353afce494dcfef1be054e2baf62a99a60610d8817c024384444a29
                                                        • Instruction ID: d40add856eef830ebb4e8ab001e7ee1af2b67fa347d08d1afe1e293ab621722f
                                                        • Opcode Fuzzy Hash: 40a39a349353afce494dcfef1be054e2baf62a99a60610d8817c024384444a29
                                                        • Instruction Fuzzy Hash: 85810C71A10109EFCB04DF94C988DEEBBB9FF89315F204559E516AB290DB71AE06CF60
                                                        Function 00581391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: _free
                                                        • String ID:
                                                        • API String ID: 269201875-0
                                                        • Opcode ID: 6db9c8c93627c756f9451910e3be4324765c951b32d4477f060cb1ffa0d07b6d
                                                        • Instruction ID: 82f3258e96ec9188ca0c213007817775dcc2edc139eff7cfbf035490fe80a604
                                                        • Opcode Fuzzy Hash: 6db9c8c93627c756f9451910e3be4324765c951b32d4477f060cb1ffa0d07b6d
                                                        • Instruction Fuzzy Hash: 3C414D35A009026BDF217BB89C49ABE3FADFF81330F144625FC19E71A2E67448425765
                                                        Function 005D6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetWindowRect.USER32(?,?), ref: 005D62E2
                                                        • ScreenToClient.USER32(?,?), ref: 005D6315
                                                        • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 005D6382
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Window$ClientMoveRectScreen
                                                        • String ID:
                                                        • API String ID: 3880355969-0
                                                        • Opcode ID: 6f6d3297fd6c8927cc7251ea6859d8d8f53bf3d7e2ee2909272dd6b82f451e78
                                                        • Instruction ID: d41a60f771b15b5cac5ef4e97868df2806b8ec7128fc82175f454028286f87d2
                                                        • Opcode Fuzzy Hash: 6f6d3297fd6c8927cc7251ea6859d8d8f53bf3d7e2ee2909272dd6b82f451e78
                                                        • Instruction Fuzzy Hash: 33511A74A00209AFCF20DF68D8809AE7BB6FB55360F14865BF9159B390D730ED82CB90
                                                        Function 005C1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • socket.WSOCK32(00000002,00000002,00000011), ref: 005C1AFD
                                                        • WSAGetLastError.WSOCK32 ref: 005C1B0B
                                                        • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 005C1B8A
                                                        • WSAGetLastError.WSOCK32 ref: 005C1B94
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast$socket
                                                        • String ID:
                                                        • API String ID: 1881357543-0
                                                        • Opcode ID: 67ee26a9e4593564a6029c461ac0366b5e2ac0638696cf1e5405e7d4b79edbc8
                                                        • Instruction ID: 39f09d8b6730c5e4378bba051e5bd59d4357afca4a153d09285036c439d4d4ba
                                                        • Opcode Fuzzy Hash: 67ee26a9e4593564a6029c461ac0366b5e2ac0638696cf1e5405e7d4b79edbc8
                                                        • Instruction Fuzzy Hash: C4419E34600602AFE720AF24C88AF697BE5BB85718F54844DF91A9F3D3D772DD428B90
                                                        Function 0057B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 92fdb27d50486639ab139e1c6f0ec54c043b6ba8bcf157216b2d7cfd370fa073
                                                        • Instruction ID: ace65a7d3f779963a006ec3f7b2c798f55f21a424f6eacf78f3dbe6977ac3ecb
                                                        • Opcode Fuzzy Hash: 92fdb27d50486639ab139e1c6f0ec54c043b6ba8bcf157216b2d7cfd370fa073
                                                        • Instruction Fuzzy Hash: A7410875A00705AFEB24AF38DC49B6ABFFAFBC4710F10852AF549DB282D77199019780
                                                        Function 005B56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 005B5783
                                                        • GetLastError.KERNEL32(?,00000000), ref: 005B57A9
                                                        • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 005B57CE
                                                        • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 005B57FA
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: CreateHardLink$DeleteErrorFileLast
                                                        • String ID:
                                                        • API String ID: 3321077145-0
                                                        • Opcode ID: 902a3bf67cade7fc6f8a7b90509b47ac08e69a2c7913a3a8dfbf7f422978abba
                                                        • Instruction ID: 70938e69581dfd3759bb39818b22b6cb3ed70c08c4bddec8e578688d257d774f
                                                        • Opcode Fuzzy Hash: 902a3bf67cade7fc6f8a7b90509b47ac08e69a2c7913a3a8dfbf7f422978abba
                                                        • Instruction Fuzzy Hash: BD410939600611DFCB15DF15C548A9DBFE1FF89324B188889E84AAB362DB34FD04CB91
                                                        Function 0057D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • MultiByteToWideChar.KERNEL32(?,00000000,?,00566D71,00000000,00000000,005682D9,?,005682D9,?,00000001,00566D71,?,00000001,005682D9,005682D9), ref: 0057D910
                                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0057D999
                                                        • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0057D9AB
                                                        • __freea.LIBCMT ref: 0057D9B4
                                                          • Part of subcall function 00573820: RtlAllocateHeap.NTDLL(00000000,?,00611444,?,0055FDF5,?,?,0054A976,00000010,00611440,005413FC,?,005413C6,?,00541129), ref: 00573852
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                        • String ID:
                                                        • API String ID: 2652629310-0
                                                        • Opcode ID: 0cadee924e4df6327f5cbfbf43ab2de9df3a4bb2fd684f40a38402d20d733e46
                                                        • Instruction ID: b3b4f6e480dbe2af5513de7634ee72ed7b70df7587d2e2b1087b43d59d71455e
                                                        • Opcode Fuzzy Hash: 0cadee924e4df6327f5cbfbf43ab2de9df3a4bb2fd684f40a38402d20d733e46
                                                        • Instruction Fuzzy Hash: 3A31BD72A0021AABDB249F64EC45EAE7FB5FF40350F058269FD0897250EB35CD54EBA0
                                                        Function 005D52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageW.USER32(?,00001024,00000000,?), ref: 005D5352
                                                        • GetWindowLongW.USER32(?,000000F0), ref: 005D5375
                                                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 005D5382
                                                        • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 005D53A8
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: LongWindow$InvalidateMessageRectSend
                                                        • String ID:
                                                        • API String ID: 3340791633-0
                                                        • Opcode ID: 28cf4a7524922b691ebbf1609542815718fa06f52fa090e16be9973213fcdeb7
                                                        • Instruction ID: 0849eb34c5a9c419639d380380565fc8180291b9533f77e53285c64f0577583a
                                                        • Opcode Fuzzy Hash: 28cf4a7524922b691ebbf1609542815718fa06f52fa090e16be9973213fcdeb7
                                                        • Instruction Fuzzy Hash: A831C434A55A08EFEB349E1CCC15BE87F66BB05390F984903FA10963E1E7B49950EB42
                                                        Function 005AAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 005AABF1
                                                        • SetKeyboardState.USER32(00000080,?,00008000), ref: 005AAC0D
                                                        • PostMessageW.USER32(00000000,00000101,00000000), ref: 005AAC74
                                                        • SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 005AACC6
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: KeyboardState$InputMessagePostSend
                                                        • String ID:
                                                        • API String ID: 432972143-0
                                                        • Opcode ID: b337e89b656db37155db0c73607ab29b9e9734d46343ab758c6e151d059aa039
                                                        • Instruction ID: 6dffe5e18e866ee4de07ff1b3af8b6d029c297259eb63c4116b1d9d804484f9a
                                                        • Opcode Fuzzy Hash: b337e89b656db37155db0c73607ab29b9e9734d46343ab758c6e151d059aa039
                                                        • Instruction Fuzzy Hash: 71311630A00619AFFF368B6488287FE7FA6BB86330F04461AF481961D1C3758D85D752
                                                        Function 005D7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ClientToScreen.USER32(?,?), ref: 005D769A
                                                        • GetWindowRect.USER32(?,?), ref: 005D7710
                                                        • PtInRect.USER32(?,?,005D8B89), ref: 005D7720
                                                        • MessageBeep.USER32(00000000), ref: 005D778C
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Rect$BeepClientMessageScreenWindow
                                                        • String ID:
                                                        • API String ID: 1352109105-0
                                                        • Opcode ID: a98318b5b4094543d710cbdcc6d18880e4e7f988b892f86a9af9fb0779f6563d
                                                        • Instruction ID: 9c4892438c12eebf66a2605683e24a579a1de0491d11d9e4196db1a36866df00
                                                        • Opcode Fuzzy Hash: a98318b5b4094543d710cbdcc6d18880e4e7f988b892f86a9af9fb0779f6563d
                                                        • Instruction Fuzzy Hash: C7415D34A092199FCB21CF5CC894EA97BF5FB49314F1989ABE5249B361E730E941CB90
                                                        Function 005D16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetForegroundWindow.USER32 ref: 005D16EB
                                                          • Part of subcall function 005A3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 005A3A57
                                                          • Part of subcall function 005A3A3D: GetCurrentThreadId.KERNEL32 ref: 005A3A5E
                                                          • Part of subcall function 005A3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,005A25B3), ref: 005A3A65
                                                        • GetCaretPos.USER32(?), ref: 005D16FF
                                                        • ClientToScreen.USER32(00000000,?), ref: 005D174C
                                                        • GetForegroundWindow.USER32 ref: 005D1752
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                        • String ID:
                                                        • API String ID: 2759813231-0
                                                        • Opcode ID: 13a980940accdf1ae624154a0f85850d492794bc567b68865c7a1594266c8a7a
                                                        • Instruction ID: 9e3c2b1015818f7e94a48294ec0fa4277e7660eb3a2dbe1dddebab9da3f390e5
                                                        • Opcode Fuzzy Hash: 13a980940accdf1ae624154a0f85850d492794bc567b68865c7a1594266c8a7a
                                                        • Instruction Fuzzy Hash: 6C314D75901249AFCB10DFA9C8858EEBBF9FF88308B5080AAE415E7211D6319E45CBA0
                                                        Function 005AD4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateToolhelp32Snapshot.KERNEL32 ref: 005AD501
                                                        • Process32FirstW.KERNEL32(00000000,?), ref: 005AD50F
                                                        • Process32NextW.KERNEL32(00000000,?), ref: 005AD52F
                                                        • CloseHandle.KERNEL32(00000000), ref: 005AD5DC
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                        • String ID:
                                                        • API String ID: 420147892-0
                                                        • Opcode ID: 097aad079fca89ef8244dd7153ca1d8815141e85c2c4f00ca0bc9693bde0a03b
                                                        • Instruction ID: 0289ef0cb5376f56699459f31902cf5d4150f6268cd2b32c17d7ebc8d75ff5c4
                                                        • Opcode Fuzzy Hash: 097aad079fca89ef8244dd7153ca1d8815141e85c2c4f00ca0bc9693bde0a03b
                                                        • Instruction Fuzzy Hash: D93172711083019FD311EF54C885AAFBFF8BFD9354F14092DF582861A1EB719948CBA2
                                                        Function 005D8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00559BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00559BB2
                                                        • GetCursorPos.USER32(?), ref: 005D9001
                                                        • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00597711,?,?,?,?,?), ref: 005D9016
                                                        • GetCursorPos.USER32(?), ref: 005D905E
                                                        • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00597711,?,?,?), ref: 005D9094
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                        • String ID:
                                                        • API String ID: 2864067406-0
                                                        • Opcode ID: a8c78e19579213b4a2f8a4d1d9d23d69fd3360b01c7bbce08baf2a91bfe67516
                                                        • Instruction ID: cc479f249404c36d3d7df94adde27d94c9b5000a068c2bf8e95299b9c4e6e35e
                                                        • Opcode Fuzzy Hash: a8c78e19579213b4a2f8a4d1d9d23d69fd3360b01c7bbce08baf2a91bfe67516
                                                        • Instruction Fuzzy Hash: 3A219135601018EFDB259F98D858EEA7FB9FF8A350F048157F9059B261C3319950EB61
                                                        Function 005AD2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetFileAttributesW.KERNEL32(?,005DCB68), ref: 005AD2FB
                                                        • GetLastError.KERNEL32 ref: 005AD30A
                                                        • CreateDirectoryW.KERNEL32(?,00000000), ref: 005AD319
                                                        • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,005DCB68), ref: 005AD376
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: CreateDirectory$AttributesErrorFileLast
                                                        • String ID:
                                                        • API String ID: 2267087916-0
                                                        • Opcode ID: f3d82f5464f92f777d275d8b69ac7132d65db30dd6464307815181a7dfd4a560
                                                        • Instruction ID: 1e8326c50d7a6ffa10662ddd011e46d3168154806d1059f5c92b19486127dff7
                                                        • Opcode Fuzzy Hash: f3d82f5464f92f777d275d8b69ac7132d65db30dd6464307815181a7dfd4a560
                                                        • Instruction Fuzzy Hash: 89215E745052029F8B10EF28C8854AEBFE4BE96364F504E1BF49AC72A1D731D949CBA3
                                                        Function 005A1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 005A1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 005A102A
                                                          • Part of subcall function 005A1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 005A1036
                                                          • Part of subcall function 005A1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 005A1045
                                                          • Part of subcall function 005A1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 005A104C
                                                          • Part of subcall function 005A1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 005A1062
                                                        • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 005A15BE
                                                        • _memcmp.LIBVCRUNTIME ref: 005A15E1
                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 005A1617
                                                        • HeapFree.KERNEL32(00000000), ref: 005A161E
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                        • String ID:
                                                        • API String ID: 1592001646-0
                                                        • Opcode ID: ccdbce8ea9f78e7a5e25ef54bfdf50364ef51cdff317884999628d3fd4eb198b
                                                        • Instruction ID: 0333705b1bc159d48d0f8dd24bd9cce9307d4d72186bccfcbd1d4bb62212db08
                                                        • Opcode Fuzzy Hash: ccdbce8ea9f78e7a5e25ef54bfdf50364ef51cdff317884999628d3fd4eb198b
                                                        • Instruction Fuzzy Hash: D0215731E41509ABDF10DFA4C949BEEBBB8FF85344F084459E441AB241E730AA05DBA4
                                                        Function 005D2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetWindowLongW.USER32(?,000000EC), ref: 005D280A
                                                        • SetWindowLongW.USER32(?,000000EC,00000000), ref: 005D2824
                                                        • SetWindowLongW.USER32(?,000000EC,00000000), ref: 005D2832
                                                        • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 005D2840
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Window$Long$AttributesLayered
                                                        • String ID:
                                                        • API String ID: 2169480361-0
                                                        • Opcode ID: aa3a6270e8056c712b7fc22d1efaba9a11ad5291b4f78efc3d5ebd2c31463525
                                                        • Instruction ID: c467887bc3c78acca2d5bdd0e280e8818e56a1e6d54859ebaada0a0336908352
                                                        • Opcode Fuzzy Hash: aa3a6270e8056c712b7fc22d1efaba9a11ad5291b4f78efc3d5ebd2c31463525
                                                        • Instruction Fuzzy Hash: D421B231205112AFD7249B28C844FAA7F95FF95324F14815BF4168B792C771FC82DB90
                                                        Function 005A78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 005A8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,005A790A,?,000000FF,?,005A8754,00000000,?,0000001C,?,?), ref: 005A8D8C
                                                          • Part of subcall function 005A8D7D: lstrcpyW.KERNEL32(00000000,?,?,005A790A,?,000000FF,?,005A8754,00000000,?,0000001C,?,?,00000000), ref: 005A8DB2
                                                          • Part of subcall function 005A8D7D: lstrcmpiW.KERNEL32(00000000,?,005A790A,?,000000FF,?,005A8754,00000000,?,0000001C,?,?), ref: 005A8DE3
                                                        • lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,005A8754,00000000,?,0000001C,?,?,00000000), ref: 005A7923
                                                        • lstrcpyW.KERNEL32(00000000,?,?,005A8754,00000000,?,0000001C,?,?,00000000), ref: 005A7949
                                                        • lstrcmpiW.KERNEL32(00000002,cdecl,?,005A8754,00000000,?,0000001C,?,?,00000000), ref: 005A7984
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: lstrcmpilstrcpylstrlen
                                                        • String ID: cdecl
                                                        • API String ID: 4031866154-3896280584
                                                        • Opcode ID: fa1d1d2b71394016d179c12525cf82820d6f092171613a73261c1d7c09630856
                                                        • Instruction ID: 948740ac94caa601d6ab2ab8a47f4ba313254f4e061fd1aeaacfee42b5cde4f4
                                                        • Opcode Fuzzy Hash: fa1d1d2b71394016d179c12525cf82820d6f092171613a73261c1d7c09630856
                                                        • Instruction Fuzzy Hash: 4511063A201206AFCB255F34DC45D7F7BA9FF9A350B00402BF802C72A4EB319811D791
                                                        Function 005D7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetWindowLongW.USER32(?,000000F0), ref: 005D7D0B
                                                        • SetWindowLongW.USER32(00000000,000000F0,?), ref: 005D7D2A
                                                        • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 005D7D42
                                                        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,005BB7AD,00000000), ref: 005D7D6B
                                                          • Part of subcall function 00559BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00559BB2
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Window$Long
                                                        • String ID:
                                                        • API String ID: 847901565-0
                                                        • Opcode ID: 1d79d7438582a5ad8c711de7f8ddee99a13950d5138cdd0d2fbf6c287c1cdbc2
                                                        • Instruction ID: f722cfedd75889977534f9a52a55d3df079194872fb6e59e3b5609bf2cb3db09
                                                        • Opcode Fuzzy Hash: 1d79d7438582a5ad8c711de7f8ddee99a13950d5138cdd0d2fbf6c287c1cdbc2
                                                        • Instruction Fuzzy Hash: E81181316156199FCB209F2CDC04AA63FA6BF4A360B158767F935CB2F0E7309951DB90
                                                        Function 005D5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageW.USER32(?,00001060,?,00000004), ref: 005D56BB
                                                        • _wcslen.LIBCMT ref: 005D56CD
                                                        • _wcslen.LIBCMT ref: 005D56D8
                                                        • SendMessageW.USER32(?,00001002,00000000,?), ref: 005D5816
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: MessageSend_wcslen
                                                        • String ID:
                                                        • API String ID: 455545452-0
                                                        • Opcode ID: 0b414115f504f1b2687bc0786ec5ad05bef8537c82f07229c6361810893fe2b5
                                                        • Instruction ID: 0a245d9daf3b618e9d59726921a0c2c2417911341cf30af087b3c79730bd7700
                                                        • Opcode Fuzzy Hash: 0b414115f504f1b2687bc0786ec5ad05bef8537c82f07229c6361810893fe2b5
                                                        • Instruction Fuzzy Hash: 3111AF71A00609D6DF309B698C85AEE7FACFB51760B10852BF915DA281FB70CA84CF60
                                                        Function 00571D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 346454494d192ec34ead20b206d495f4a5ad9ba83157f0420fe3ee421c0329f3
                                                        • Instruction ID: 737ab788177e9852a8f9f34e9a4db00ac21f9f06884ab481bb5595b7d941a86f
                                                        • Opcode Fuzzy Hash: 346454494d192ec34ead20b206d495f4a5ad9ba83157f0420fe3ee421c0329f3
                                                        • Instruction Fuzzy Hash: 020171B2205A167EFA2116787CC5F676F1DFF813B4F348326F529911D1DB608C40B564
                                                        Function 005A1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageW.USER32(?,000000B0,?,?), ref: 005A1A47
                                                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 005A1A59
                                                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 005A1A6F
                                                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 005A1A8A
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: MessageSend
                                                        • String ID:
                                                        • API String ID: 3850602802-0
                                                        • Opcode ID: ee67843434d7e928af705ddd0a64508a2a2dc3e9ea9e024204bb041782362e57
                                                        • Instruction ID: 07b6e891c4222dadf3eb1e875e80ef26dac7a889e26f2d539fdd883a94fe588a
                                                        • Opcode Fuzzy Hash: ee67843434d7e928af705ddd0a64508a2a2dc3e9ea9e024204bb041782362e57
                                                        • Instruction Fuzzy Hash: 60113C3AD01219FFEB10DBA4CD85FADBB78FB04750F200092E601B7290D6716E50DB98
                                                        Function 005AE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetCurrentThreadId.KERNEL32 ref: 005AE1FD
                                                        • MessageBoxW.USER32(?,?,?,?), ref: 005AE230
                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 005AE246
                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 005AE24D
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                        • String ID:
                                                        • API String ID: 2880819207-0
                                                        • Opcode ID: 8693eb61325b81435707bf54b32052bd811057a1ee8bafd1292b5b879000fcff
                                                        • Instruction ID: a7735108c5e67002c15b881a33e402b572d40b1c894b4f489c985097122219ae
                                                        • Opcode Fuzzy Hash: 8693eb61325b81435707bf54b32052bd811057a1ee8bafd1292b5b879000fcff
                                                        • Instruction Fuzzy Hash: 2011C876904259BBC7119BA8DC0ABDE7FADEF46310F048657F924D7291D6708904C7B0
                                                        Function 0056D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateThread.KERNEL32(00000000,?,0056CFF9,00000000,00000004,00000000), ref: 0056D218
                                                        • GetLastError.KERNEL32 ref: 0056D224
                                                        • __dosmaperr.LIBCMT ref: 0056D22B
                                                        • ResumeThread.KERNEL32(00000000), ref: 0056D249
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Thread$CreateErrorLastResume__dosmaperr
                                                        • String ID:
                                                        • API String ID: 173952441-0
                                                        • Opcode ID: 5555ec1d880ee81f8bde3ced0ac2f7a4f031de0d42b358821004e871be460ed9
                                                        • Instruction ID: 79ca92292d30d0eed35b557a8a7f37f947e37e517a728b0af1ff7cdcafc3cab9
                                                        • Opcode Fuzzy Hash: 5555ec1d880ee81f8bde3ced0ac2f7a4f031de0d42b358821004e871be460ed9
                                                        • Instruction Fuzzy Hash: F701C03AE05205BBCB215BA5DC09AAA7F79FF82330F104A1AF925931D0DB718945D7B0
                                                        Function 005D9EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00559BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00559BB2
                                                        • GetClientRect.USER32(?,?), ref: 005D9F31
                                                        • GetCursorPos.USER32(?), ref: 005D9F3B
                                                        • ScreenToClient.USER32(?,?), ref: 005D9F46
                                                        • DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 005D9F7A
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Client$CursorLongProcRectScreenWindow
                                                        • String ID:
                                                        • API String ID: 4127811313-0
                                                        • Opcode ID: c3cf83ccea945b681439d33df183d1f99d688cad4cd93158ea26b4f4a568b91a
                                                        • Instruction ID: 44b6a81c536ad83d6585d32fdcf9aca6a1c66b6ea71b86af9b22eb27dce11958
                                                        • Opcode Fuzzy Hash: c3cf83ccea945b681439d33df183d1f99d688cad4cd93158ea26b4f4a568b91a
                                                        • Instruction Fuzzy Hash: 1B11453290111BABDB21DFA8D8899EE7BB9FB45311F404557F912E7240D330BA85CBA1
                                                        Function 0054600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0054604C
                                                        • GetStockObject.GDI32(00000011), ref: 00546060
                                                        • SendMessageW.USER32(00000000,00000030,00000000), ref: 0054606A
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: CreateMessageObjectSendStockWindow
                                                        • String ID:
                                                        • API String ID: 3970641297-0
                                                        • Opcode ID: 2b6b08ee9645dc27b44e87929cc6fbe58435a270564f0ff05616ed9520a77087
                                                        • Instruction ID: d4329e9c037449243eef2ce1aa67ccdbcc7619d8aeb01be0dd2b63c8466e57a9
                                                        • Opcode Fuzzy Hash: 2b6b08ee9645dc27b44e87929cc6fbe58435a270564f0ff05616ed9520a77087
                                                        • Instruction Fuzzy Hash: 24115E72502509BFEF225F949C48AEABF69FF19359F040216FA1956110D732DC60EB92
                                                        Function 00563B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • ___BuildCatchObject.LIBVCRUNTIME ref: 00563B56
                                                          • Part of subcall function 00563AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00563AD2
                                                          • Part of subcall function 00563AA3: ___AdjustPointer.LIBCMT ref: 00563AED
                                                        • _UnwindNestedFrames.LIBCMT ref: 00563B6B
                                                        • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00563B7C
                                                        • CallCatchBlock.LIBVCRUNTIME ref: 00563BA4
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                        • String ID:
                                                        • API String ID: 737400349-0
                                                        • Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                                                        • Instruction ID: 8973db7b4fea1d574bbf8a9296468c5fca071d31476d117beeeeaa4b17999b34
                                                        • Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                                                        • Instruction Fuzzy Hash: C301E93210014ABBDF125E95CC4AEEB7F69FF99764F044014FE4857121C732E961EBA0
                                                        Function 00573073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,005413C6,00000000,00000000,?,0057301A,005413C6,00000000,00000000,00000000,?,0057328B,00000006,FlsSetValue), ref: 005730A5
                                                        • GetLastError.KERNEL32(?,0057301A,005413C6,00000000,00000000,00000000,?,0057328B,00000006,FlsSetValue,005E2290,FlsSetValue,00000000,00000364,?,00572E46), ref: 005730B1
                                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0057301A,005413C6,00000000,00000000,00000000,?,0057328B,00000006,FlsSetValue,005E2290,FlsSetValue,00000000), ref: 005730BF
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: LibraryLoad$ErrorLast
                                                        • String ID:
                                                        • API String ID: 3177248105-0
                                                        • Opcode ID: db9d342f454d8ed194a5e00b3cccebef5c6c2f951a91396699743a397989f0d0
                                                        • Instruction ID: ffa59ad03912ff1bf65d9e929c7bf82a5bcc63a5c226412984b840f9a9cc2486
                                                        • Opcode Fuzzy Hash: db9d342f454d8ed194a5e00b3cccebef5c6c2f951a91396699743a397989f0d0
                                                        • Instruction Fuzzy Hash: F101D436352232ABCB314A78BC4C9577F98BF15B71B208721F909E7190D721D909F6E0
                                                        Function 005A7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 005A747F
                                                        • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 005A7497
                                                        • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 005A74AC
                                                        • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 005A74CA
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Type$Register$FileLoadModuleNameUser
                                                        • String ID:
                                                        • API String ID: 1352324309-0
                                                        • Opcode ID: 3c49c1fcff60063e8bd3a24fe876927955defc155f0bb151573e8dbcee174342
                                                        • Instruction ID: 90f3e8e75ac4acc0423728757b068c8f51200a538d89d4e7c5e19046d83f0f8b
                                                        • Opcode Fuzzy Hash: 3c49c1fcff60063e8bd3a24fe876927955defc155f0bb151573e8dbcee174342
                                                        • Instruction Fuzzy Hash: 7311A1B12063199FEB308F14DC08F967FFCFB09B00F10856AA626D6151D770E908EB60
                                                        Function 005AB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,005AACD3,?,00008000), ref: 005AB0C4
                                                        • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,005AACD3,?,00008000), ref: 005AB0E9
                                                        • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,005AACD3,?,00008000), ref: 005AB0F3
                                                        • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,005AACD3,?,00008000), ref: 005AB126
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: CounterPerformanceQuerySleep
                                                        • String ID:
                                                        • API String ID: 2875609808-0
                                                        • Opcode ID: 5e58d25c8d844ce4fa33c2d4bd8a7aba3bcf1290febebac94f6f7124a4ccb8d1
                                                        • Instruction ID: 941a68db561c3cd32a60229a7302d905d041ca1b148391ae5a9ca1fd3da971bd
                                                        • Opcode Fuzzy Hash: 5e58d25c8d844ce4fa33c2d4bd8a7aba3bcf1290febebac94f6f7124a4ccb8d1
                                                        • Instruction Fuzzy Hash: CF11AD30C0152DEBDF10AFE4E9686EEBF78FF5A311F004496D941B2182CB305650DB91
                                                        Function 005D7E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetWindowRect.USER32(?,?), ref: 005D7E33
                                                        • ScreenToClient.USER32(?,?), ref: 005D7E4B
                                                        • ScreenToClient.USER32(?,?), ref: 005D7E6F
                                                        • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 005D7E8A
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: ClientRectScreen$InvalidateWindow
                                                        • String ID:
                                                        • API String ID: 357397906-0
                                                        • Opcode ID: 3e542f2e5016cb4982d7289a216f1da00e6204604451707428d0ca37ff0b709e
                                                        • Instruction ID: 32f3d647cd30836a365fce0967740cac4b6fb372715319675f2883b8983d975b
                                                        • Opcode Fuzzy Hash: 3e542f2e5016cb4982d7289a216f1da00e6204604451707428d0ca37ff0b709e
                                                        • Instruction Fuzzy Hash: 641143B9D0020AAFDB51CFA8C884AEEBBF9FB18310F505156E915E2210D735AA54DF90
                                                        Function 005A2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 005A2DC5
                                                        • GetWindowThreadProcessId.USER32(?,00000000), ref: 005A2DD6
                                                        • GetCurrentThreadId.KERNEL32 ref: 005A2DDD
                                                        • AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 005A2DE4
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                        • String ID:
                                                        • API String ID: 2710830443-0
                                                        • Opcode ID: c1a93b832c52590d1fe3c0cb0e1bcb7fb049be8def5accbd818c79eab7c45804
                                                        • Instruction ID: cd42b9790d1ed951b2bac5ba4337804e20a572a9e09bf93b0cad420318ebb98e
                                                        • Opcode Fuzzy Hash: c1a93b832c52590d1fe3c0cb0e1bcb7fb049be8def5accbd818c79eab7c45804
                                                        • Instruction Fuzzy Hash: 5FE06DB11022257ADB301BAA9C0EEEB3F6CFF63BA1F000017B505D10819AA4C845D6B0
                                                        Function 005D8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00559639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00559693
                                                          • Part of subcall function 00559639: SelectObject.GDI32(?,00000000), ref: 005596A2
                                                          • Part of subcall function 00559639: BeginPath.GDI32(?), ref: 005596B9
                                                          • Part of subcall function 00559639: SelectObject.GDI32(?,00000000), ref: 005596E2
                                                        • MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 005D8887
                                                        • LineTo.GDI32(?,?,?), ref: 005D8894
                                                        • EndPath.GDI32(?), ref: 005D88A4
                                                        • StrokePath.GDI32(?), ref: 005D88B2
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                        • String ID:
                                                        • API String ID: 1539411459-0
                                                        • Opcode ID: 26d8054416f317e9a2b999e1c5743ebe1dfd95dd6ba2ad4afbcd812d8bb7453c
                                                        • Instruction ID: a561d63dc87ee7b41bff1c4147f1543640597c5d4d3458178f068facf970f12d
                                                        • Opcode Fuzzy Hash: 26d8054416f317e9a2b999e1c5743ebe1dfd95dd6ba2ad4afbcd812d8bb7453c
                                                        • Instruction Fuzzy Hash: 8AF09A3600229AFADB221F94AC0DFDE3F59AF16311F088003FA11650E1C7741515EBE5
                                                        Function 005598B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetSysColor.USER32(00000008), ref: 005598CC
                                                        • SetTextColor.GDI32(?,?), ref: 005598D6
                                                        • SetBkMode.GDI32(?,00000001), ref: 005598E9
                                                        • GetStockObject.GDI32(00000005), ref: 005598F1
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Color$ModeObjectStockText
                                                        • String ID:
                                                        • API String ID: 4037423528-0
                                                        • Opcode ID: e7ac76870de7f40ee76d8d867fa852ed05f579072c7805e0592c8c853c8c481f
                                                        • Instruction ID: cfdf1ff866c450ba26e3bbcb4b3b87033d305c0e1a66136afa46f8d9095f810d
                                                        • Opcode Fuzzy Hash: e7ac76870de7f40ee76d8d867fa852ed05f579072c7805e0592c8c853c8c481f
                                                        • Instruction Fuzzy Hash: 8AE06D31245295AADF315BB4BC09BE83F20BB26336F04821BF6FA580E1C3714648EB10
                                                        Function 005A162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetCurrentThread.KERNEL32 ref: 005A1634
                                                        • OpenThreadToken.ADVAPI32(00000000,?,?,?,005A11D9), ref: 005A163B
                                                        • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,005A11D9), ref: 005A1648
                                                        • OpenProcessToken.ADVAPI32(00000000,?,?,?,005A11D9), ref: 005A164F
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: CurrentOpenProcessThreadToken
                                                        • String ID:
                                                        • API String ID: 3974789173-0
                                                        • Opcode ID: 9e6dc6858b8def2caccec8dbe1a86205b5241dd71c314978eb71fbaa8fae176d
                                                        • Instruction ID: cf75b38f83493c5b96c805a70c38cc3f7edcd3e5a13bc691a2750d9d2ca233f9
                                                        • Opcode Fuzzy Hash: 9e6dc6858b8def2caccec8dbe1a86205b5241dd71c314978eb71fbaa8fae176d
                                                        • Instruction Fuzzy Hash: 3AE08631603212DBD7301FE09E0DB4A3F7CBF657A1F14480BF245CA080D6344448D754
                                                        Function 0059D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetDesktopWindow.USER32 ref: 0059D858
                                                        • GetDC.USER32(00000000), ref: 0059D862
                                                        • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0059D882
                                                        • ReleaseDC.USER32(?), ref: 0059D8A3
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: CapsDesktopDeviceReleaseWindow
                                                        • String ID:
                                                        • API String ID: 2889604237-0
                                                        • Opcode ID: b86b5afbb7db0696f4fa339fe2f271eace8dec1dffe29b8fa1f9ed990988e890
                                                        • Instruction ID: 8bbe675a6ce61dcca61f22f26ec2c3549895281edbb788062944ceec2c69fbe8
                                                        • Opcode Fuzzy Hash: b86b5afbb7db0696f4fa339fe2f271eace8dec1dffe29b8fa1f9ed990988e890
                                                        • Instruction Fuzzy Hash: 05E0E5B5801206EFCB619FA4980C66DBFB1FB58311B18840BE806A7250C7388909EF50
                                                        Function 0059D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetDesktopWindow.USER32 ref: 0059D86C
                                                        • GetDC.USER32(00000000), ref: 0059D876
                                                        • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0059D882
                                                        • ReleaseDC.USER32(?), ref: 0059D8A3
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: CapsDesktopDeviceReleaseWindow
                                                        • String ID:
                                                        • API String ID: 2889604237-0
                                                        • Opcode ID: eb8cc53de7560bb1951d743b8ad11ead201981d58c4b63c2cc345ea3b3587d7d
                                                        • Instruction ID: db0a04b3ae403f09a0f61e32d0fcd04f4cbece97d24a0725360a2d5846d457be
                                                        • Opcode Fuzzy Hash: eb8cc53de7560bb1951d743b8ad11ead201981d58c4b63c2cc345ea3b3587d7d
                                                        • Instruction Fuzzy Hash: A6E09A75801206EFCB619FA4D80C66DBFB5FB58311B14844BE946E7350D7399909EF50
                                                        Function 005B4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00547620: _wcslen.LIBCMT ref: 00547625
                                                        • WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 005B4ED4
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Connection_wcslen
                                                        • String ID: *$LPT
                                                        • API String ID: 1725874428-3443410124
                                                        • Opcode ID: 43d32a716cdc7ca867e63321e33d9a2d8966a0fecb77ee6d74a59a6b2eda5b4e
                                                        • Instruction ID: 78cf8f9e664c28d9fd286aa968ea2fa32832ca39b5c5b2d6422f0cb1ac86b22a
                                                        • Opcode Fuzzy Hash: 43d32a716cdc7ca867e63321e33d9a2d8966a0fecb77ee6d74a59a6b2eda5b4e
                                                        • Instruction Fuzzy Hash: B9912A75A002559FCB24DF58C484EEABBB5BF48308F198099E80A9F362D735ED85CF91
                                                        Function 005C7771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CharUpperBuffW.USER32(0059569E,00000000,?,005DCC08,?,00000000,00000000), ref: 005C78DD
                                                          • Part of subcall function 00546B57: _wcslen.LIBCMT ref: 00546B6A
                                                        • CharUpperBuffW.USER32(0059569E,00000000,?,005DCC08,00000000,?,00000000,00000000), ref: 005C783B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: BuffCharUpper$_wcslen
                                                        • String ID: <s`
                                                        • API String ID: 3544283678-2609942155
                                                        • Opcode ID: fe0c274cd5f0f545542640690eefa44c6e59e35e27fe771f0425cd7f5358f385
                                                        • Instruction ID: 64bfaf1564e70ad18a31ad88120ff6051ec54b58be7bef7c8e7143fe79d281cf
                                                        • Opcode Fuzzy Hash: fe0c274cd5f0f545542640690eefa44c6e59e35e27fe771f0425cd7f5358f385
                                                        • Instruction Fuzzy Hash: 3B613B7291411AAECF04EFE4CC99EFDBB78FF58304F544529E642A7091EB305A09DBA0
                                                        Function 0055E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: #
                                                        • API String ID: 0-1885708031
                                                        • Opcode ID: cb779e005479644acd1e46fa2538842d6c0b1cb754b2c033eb6701b4490221f2
                                                        • Instruction ID: b5b10583020eacc4d192303f27373a68517ada13d9ef87ce6211a44255e2c6d8
                                                        • Opcode Fuzzy Hash: cb779e005479644acd1e46fa2538842d6c0b1cb754b2c033eb6701b4490221f2
                                                        • Instruction Fuzzy Hash: C8513239504286DFDF18DFA8C096AFA7FA8FF55310F244416EC919B2D0D6349E86CBA1
                                                        Function 0055F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Sleep.KERNEL32(00000000), ref: 0055F2A2
                                                        • GlobalMemoryStatusEx.KERNEL32(?), ref: 0055F2BB
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: GlobalMemorySleepStatus
                                                        • String ID: @
                                                        • API String ID: 2783356886-2766056989
                                                        • Opcode ID: 6ea358916b28fcf1fb5e8b03165c18e2b1695565dcc68036b6d731c6ae5ebafb
                                                        • Instruction ID: fca8c21699fb5208d8d851dda3468c67ade60e4f5d901228d7c6f0ca593f9a6d
                                                        • Opcode Fuzzy Hash: 6ea358916b28fcf1fb5e8b03165c18e2b1695565dcc68036b6d731c6ae5ebafb
                                                        • Instruction Fuzzy Hash: 30513771409749ABD320AF50DC8ABABBBF8FBD4304F81885DF1D941195EB318529CB6B
                                                        Function 005C5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 005C57E0
                                                        • _wcslen.LIBCMT ref: 005C57EC
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: BuffCharUpper_wcslen
                                                        • String ID: CALLARGARRAY
                                                        • API String ID: 157775604-1150593374
                                                        • Opcode ID: eebf88de781e3263895d6ebe44188e29f44d09fad435e12936e6bcd80d50b879
                                                        • Instruction ID: 32973b5fd2ec78845939a81aab56083e07d7caa575d60e93fc0aafd56d36b0ad
                                                        • Opcode Fuzzy Hash: eebf88de781e3263895d6ebe44188e29f44d09fad435e12936e6bcd80d50b879
                                                        • Instruction Fuzzy Hash: 68417F31A0010A9FCB14DFE8C895DAEBFB5FF99354F24406EE505A7291E730AD81CBA0
                                                        Function 005BD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _wcslen.LIBCMT ref: 005BD130
                                                        • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 005BD13A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: CrackInternet_wcslen
                                                        • String ID: |
                                                        • API String ID: 596671847-2343686810
                                                        • Opcode ID: 8178a989925a3a5214ea235191a096641ab5bf8f5747c3380da1ded7fcc4efa3
                                                        • Instruction ID: b4999b1e5ed4149369e218ef240260b2815f2aaeb2bb6b9018598b1de995448b
                                                        • Opcode Fuzzy Hash: 8178a989925a3a5214ea235191a096641ab5bf8f5747c3380da1ded7fcc4efa3
                                                        • Instruction Fuzzy Hash: 4D313E71D0120AABCF15EFA4CC89AEFBFB9FF45304F000019F815A6162E731AA56DB60
                                                        Function 005D356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • DestroyWindow.USER32(?,?,?,?), ref: 005D3621
                                                        • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 005D365C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Window$DestroyMove
                                                        • String ID: static
                                                        • API String ID: 2139405536-2160076837
                                                        • Opcode ID: 1c24cb6799de6746f309b255d5b9d303a5c188c35f8b67771559414af6af1552
                                                        • Instruction ID: f4df10babdbea4c351586ab83eb00b079a3bb3672af8298a808fecb6eadb1bb6
                                                        • Opcode Fuzzy Hash: 1c24cb6799de6746f309b255d5b9d303a5c188c35f8b67771559414af6af1552
                                                        • Instruction Fuzzy Hash: F531AB71100205AEDB20DF28DC80EFB7BA9FF88724F00961BF8A597280DA31ED81D761
                                                        Function 005D4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageW.USER32(00000027,00001132,00000000,?), ref: 005D461F
                                                        • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 005D4634
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: MessageSend
                                                        • String ID: '
                                                        • API String ID: 3850602802-1997036262
                                                        • Opcode ID: 4598260fbe9795f2146c8877991463998bb8216a70b502e18296143f2db16dc2
                                                        • Instruction ID: dd8a5c2df26836e2f9e3f2d705803092a6f47587a498b282961c9621e6da25ee
                                                        • Opcode Fuzzy Hash: 4598260fbe9795f2146c8877991463998bb8216a70b502e18296143f2db16dc2
                                                        • Instruction Fuzzy Hash: F5310574A0120A9FDB24CFA9D991BEABBB5FF49300F14446BE905AB391D770E941CF90
                                                        Function 005D31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 005D327C
                                                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 005D3287
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: MessageSend
                                                        • String ID: Combobox
                                                        • API String ID: 3850602802-2096851135
                                                        • Opcode ID: a852b4d12958ca33224e5e98156daf66d08745df72ebff3923c9038d4b460125
                                                        • Instruction ID: ecf30fa3de35ef96e4788b1d8eb1cfc67722a152420156e04f872046ef287085
                                                        • Opcode Fuzzy Hash: a852b4d12958ca33224e5e98156daf66d08745df72ebff3923c9038d4b460125
                                                        • Instruction Fuzzy Hash: A311D075A00209AFEF219E98DC84EBB3F6AFB94364F10412BF9189B390D6319D518761
                                                        Function 005AEF10 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: _wcslen
                                                        • String ID: (8$HANDLE
                                                        • API String ID: 176396367-13500549
                                                        • Opcode ID: 48deb52f5dcb1a1ec2d68bc8dc9d77364c80f45fa2f2292cbd0477775692746a
                                                        • Instruction ID: 4ffb00d8291077e6cb0fdaeacacd86ee671fd9917c4e8fe8e9c3aa7ce2af4667
                                                        • Opcode Fuzzy Hash: 48deb52f5dcb1a1ec2d68bc8dc9d77364c80f45fa2f2292cbd0477775692746a
                                                        • Instruction Fuzzy Hash: A21122715201159FEB289F14E88BBADBBA8FF82722F60446AE000CF0C4E7709E818B14
                                                        Function 005D3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0054600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0054604C
                                                          • Part of subcall function 0054600E: GetStockObject.GDI32(00000011), ref: 00546060
                                                          • Part of subcall function 0054600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0054606A
                                                        • GetWindowRect.USER32(00000000,?), ref: 005D377A
                                                        • GetSysColor.USER32(00000012), ref: 005D3794
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                        • String ID: static
                                                        • API String ID: 1983116058-2160076837
                                                        • Opcode ID: 4f2e0b741cc482bc22aab61618643707f1f0299b18b3e0660671b76643ddc213
                                                        • Instruction ID: eec22cd02822ed9695909792c2556fb92f20f1ca5b85dfa3abf4743674badf90
                                                        • Opcode Fuzzy Hash: 4f2e0b741cc482bc22aab61618643707f1f0299b18b3e0660671b76643ddc213
                                                        • Instruction Fuzzy Hash: B31167B261020AAFDF10DFA8CC4AEFA7BB8FB08304F004916F955E2250E735E910DB60
                                                        Function 005BCD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 005BCD7D
                                                        • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 005BCDA6
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Internet$OpenOption
                                                        • String ID: <local>
                                                        • API String ID: 942729171-4266983199
                                                        • Opcode ID: 2b1c5da7fa8911aaa22a2ca8b302bd4d08a62712910a3b0759c4a1fc444fbf47
                                                        • Instruction ID: 18df7789be992fbe3e78947c412c0b8059866e68496ddd9a9688e7aeed23c118
                                                        • Opcode Fuzzy Hash: 2b1c5da7fa8911aaa22a2ca8b302bd4d08a62712910a3b0759c4a1fc444fbf47
                                                        • Instruction Fuzzy Hash: DA110279205672BED7384B668C48EF7BEACFF227A4F40422AB14983180D770A840D6F4
                                                        Function 005D3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetWindowTextLengthW.USER32(00000000), ref: 005D34AB
                                                        • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 005D34BA
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: LengthMessageSendTextWindow
                                                        • String ID: edit
                                                        • API String ID: 2978978980-2167791130
                                                        • Opcode ID: 433e3f71ff7b6bf2714dcd336719dabb8cc8a413bbfbc1d1165f2dea7f714012
                                                        • Instruction ID: 2ce71fdac918a3922615399e06607ac8ca6d77f8ee7a6ac61e92c6c4d5cf8e9e
                                                        • Opcode Fuzzy Hash: 433e3f71ff7b6bf2714dcd336719dabb8cc8a413bbfbc1d1165f2dea7f714012
                                                        • Instruction Fuzzy Hash: 6F119D71100109AAEF218E68EC48AEB3F6AFB15378F508727F960972D0C779DC519752
                                                        Function 005A6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00549CB3: _wcslen.LIBCMT ref: 00549CBD
                                                        • CharUpperBuffW.USER32(?,?,?), ref: 005A6CB6
                                                        • _wcslen.LIBCMT ref: 005A6CC2
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: _wcslen$BuffCharUpper
                                                        • String ID: STOP
                                                        • API String ID: 1256254125-2411985666
                                                        • Opcode ID: 4155fc3a8f72d3082245aefc0b8814aef6b56076e00cf4098ae4c821c0a64837
                                                        • Instruction ID: 73908cdbebc61e37654deff2863aaf8e26bb310e02c1ab048af1b6cf5dc65edf
                                                        • Opcode Fuzzy Hash: 4155fc3a8f72d3082245aefc0b8814aef6b56076e00cf4098ae4c821c0a64837
                                                        • Instruction Fuzzy Hash: C20104326005278BCB209FBDDC958BF3FB5FEA27647450924E86293195EA31DD00C650
                                                        Function 005A1CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00549CB3: _wcslen.LIBCMT ref: 00549CBD
                                                          • Part of subcall function 005A3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 005A3CCA
                                                        • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 005A1D4C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: ClassMessageNameSend_wcslen
                                                        • String ID: ComboBox$ListBox
                                                        • API String ID: 624084870-1403004172
                                                        • Opcode ID: 042ab6edfe58f6c48ce5c52a7ffd9d1b08852e98eea9101f490f008a22f1c543
                                                        • Instruction ID: 48633e442c9fe2bcc637265d8e80ede66ee4f9fabe6c0529c68ffcd9e7188929
                                                        • Opcode Fuzzy Hash: 042ab6edfe58f6c48ce5c52a7ffd9d1b08852e98eea9101f490f008a22f1c543
                                                        • Instruction Fuzzy Hash: A801F535651215ABCB08EBA4CC5A8FF7BA9FF83354F000A1AB832572C1EA305D088660
                                                        Function 005A1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00549CB3: _wcslen.LIBCMT ref: 00549CBD
                                                          • Part of subcall function 005A3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 005A3CCA
                                                        • SendMessageW.USER32(?,00000180,00000000,?), ref: 005A1C46
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: ClassMessageNameSend_wcslen
                                                        • String ID: ComboBox$ListBox
                                                        • API String ID: 624084870-1403004172
                                                        • Opcode ID: 07f348230c09c4e885728619e7e6f45f730fc1a3c0d7e583a7e3e018ee981830
                                                        • Instruction ID: 70eeccb424d1ef8cb3c190280d7a2a553fb3f237367f88f514ae16c6798771f1
                                                        • Opcode Fuzzy Hash: 07f348230c09c4e885728619e7e6f45f730fc1a3c0d7e583a7e3e018ee981830
                                                        • Instruction Fuzzy Hash: BC01F775AC110566CB08EB90DE6A9FF7FA8BF52350F10001AB406672C2EA209E08C6B5
                                                        Function 005A1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00549CB3: _wcslen.LIBCMT ref: 00549CBD
                                                          • Part of subcall function 005A3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 005A3CCA
                                                        • SendMessageW.USER32(?,00000182,?,00000000), ref: 005A1CC8
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: ClassMessageNameSend_wcslen
                                                        • String ID: ComboBox$ListBox
                                                        • API String ID: 624084870-1403004172
                                                        • Opcode ID: 25154e9af29de47790c055f7558f7eea09418e7c76451a683c1e34f009bd403f
                                                        • Instruction ID: 32f649ece2de4256919196249a5890091a39cb39ac561e37dbb722f63bbffb69
                                                        • Opcode Fuzzy Hash: 25154e9af29de47790c055f7558f7eea09418e7c76451a683c1e34f009bd403f
                                                        • Instruction Fuzzy Hash: 3701DB75A8111567CF14E794DE6BAFF7FA8BF52394F140015B80277281EA209F08C6B5
                                                        Function 0055A4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __Init_thread_footer.LIBCMT ref: 0055A529
                                                          • Part of subcall function 00549CB3: _wcslen.LIBCMT ref: 00549CBD
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Init_thread_footer_wcslen
                                                        • String ID: ,%a$3yY
                                                        • API String ID: 2551934079-2205486753
                                                        • Opcode ID: 7835afd7dfb2cb47be8617c7bd4bb1e23abbe824ec87516073fd213cc5e784a6
                                                        • Instruction ID: 3b2f4a69d90ba25302a1702af184e038e344650c11a1be0de798998c95a29f94
                                                        • Opcode Fuzzy Hash: 7835afd7dfb2cb47be8617c7bd4bb1e23abbe824ec87516073fd213cc5e784a6
                                                        • Instruction Fuzzy Hash: 6701F73160061287CE10F7B8D87FEDE3F55BB85711F440626F902572C2EE506D458697
                                                        Function 005A1D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00549CB3: _wcslen.LIBCMT ref: 00549CBD
                                                          • Part of subcall function 005A3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 005A3CCA
                                                        • SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 005A1DD3
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: ClassMessageNameSend_wcslen
                                                        • String ID: ComboBox$ListBox
                                                        • API String ID: 624084870-1403004172
                                                        • Opcode ID: 1f70028c79a3061ce15014f916be6a04b86a28a2ac47609f1206babf63769eb5
                                                        • Instruction ID: 81149b8747cb7926af3c3f05e339c56540989940abe82d405bed588930d09aec
                                                        • Opcode Fuzzy Hash: 1f70028c79a3061ce15014f916be6a04b86a28a2ac47609f1206babf63769eb5
                                                        • Instruction Fuzzy Hash: 4EF0F471A8161666DB08F7A4DDAAAFF7F68BF42394F040915B822672C2DA605D0886A4
                                                        Function 005D8172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00613018,0061305C), ref: 005D81BF
                                                        • CloseHandle.KERNEL32 ref: 005D81D1
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: CloseCreateHandleProcess
                                                        • String ID: \0a
                                                        • API String ID: 3712363035-2132044283
                                                        • Opcode ID: be4ca66be602248a1880ab9d28fb710eab758ed2d36de48a4a1101def56da571
                                                        • Instruction ID: ff302fcea4882a0959f416986a6e9273a12f7cfac6a9a56bf6d0076aa6847690
                                                        • Opcode Fuzzy Hash: be4ca66be602248a1880ab9d28fb710eab758ed2d36de48a4a1101def56da571
                                                        • Instruction Fuzzy Hash: 88F0B4B1640310BAE3206B606C05FF73E9DEB18752F044422BB09D63A1D6758B0493B4
                                                        Function 005C747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: _wcslen
                                                        • String ID: 3, 3, 16, 1
                                                        • API String ID: 176396367-3042988571
                                                        • Opcode ID: f62c94da3137a729b1457a69ee12e5c1fec1349f5d13f232adb9f5397206f928
                                                        • Instruction ID: 403d66b03eda5b44660bcbee6eb8fc76af94f971b9573bf5bf70e236d20fbfb8
                                                        • Opcode Fuzzy Hash: f62c94da3137a729b1457a69ee12e5c1fec1349f5d13f232adb9f5397206f928
                                                        • Instruction Fuzzy Hash: 0DE02B0264472118A73912B99CC5F7F5E8AFFCD750710182FF981C3666EA948DD197A0
                                                        Function 005A0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 005A0B23
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Message
                                                        • String ID: AutoIt$Error allocating memory.
                                                        • API String ID: 2030045667-4017498283
                                                        • Opcode ID: acb8f45a8e16a941c17aa4585f1789e50d5adc00730a897dd8321583bfd06a6a
                                                        • Instruction ID: a6b2ae5b189d27f43717bab3f3fafaa69b8599c8cc9b4a3ffd17eb6c5af44712
                                                        • Opcode Fuzzy Hash: acb8f45a8e16a941c17aa4585f1789e50d5adc00730a897dd8321583bfd06a6a
                                                        • Instruction Fuzzy Hash: 25E0D83128430A26D2243754BC07FCD7F88EF05B15F10042BFB58555C38AD2689096A9
                                                        Function 00560D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0055F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00560D71,?,?,?,0054100A), ref: 0055F7CE
                                                        • IsDebuggerPresent.KERNEL32(?,?,?,0054100A), ref: 00560D75
                                                        • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0054100A), ref: 00560D84
                                                        Strings
                                                        • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00560D7F
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
                                                        • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                        • API String ID: 55579361-631824599
                                                        • Opcode ID: 9973506199829d35b63134187f29eda024a38d74e7683ce05b626a338f98b9cf
                                                        • Instruction ID: e233821652006c3e664345cccb3e7556af2f7d9b6f7fe5e2bef25b96a9925231
                                                        • Opcode Fuzzy Hash: 9973506199829d35b63134187f29eda024a38d74e7683ce05b626a338f98b9cf
                                                        • Instruction Fuzzy Hash: F8E039742003028BD7709FA8E4082467FE4BB14745F048A2FE486C7695DBB1E4489B91
                                                        Function 0055E398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __Init_thread_footer.LIBCMT ref: 0055E3D5
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Init_thread_footer
                                                        • String ID: 0%a$8%a
                                                        • API String ID: 1385522511-290635068
                                                        • Opcode ID: 24b2fbc60606ff664e7e9e28fe0d66661df28753dc94c244357cf14766af8846
                                                        • Instruction ID: c6d65abcb406bec8bd084d1b323cc13fe8cd14de75bc8548c344d7f636d5643d
                                                        • Opcode Fuzzy Hash: 24b2fbc60606ff664e7e9e28fe0d66661df28753dc94c244357cf14766af8846
                                                        • Instruction Fuzzy Hash: D0E02631400912CBC708DB18F9FAAC83B57BB45321B196967E802871D1DB3039858644
                                                        Function 005B3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetTempPathW.KERNEL32(00000104,?,00000001), ref: 005B302F
                                                        • GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 005B3044
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: Temp$FileNamePath
                                                        • String ID: aut
                                                        • API String ID: 3285503233-3010740371
                                                        • Opcode ID: f76d16bbd0480ebbc5947c926e4e4d19f476bff4abf2c1e40c3b76f2d9d27dc0
                                                        • Instruction ID: 6688592a680e08baa71c3b4d337d36cf565b4776fbfa6f50ac06c81db8dbad8a
                                                        • Opcode Fuzzy Hash: f76d16bbd0480ebbc5947c926e4e4d19f476bff4abf2c1e40c3b76f2d9d27dc0
                                                        • Instruction Fuzzy Hash: 1ED05B7554131467DA30A7949C0DFC73F6CD714750F000293B695D20D1DAF09544CAD0
                                                        Function 0059D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: LocalTime
                                                        • String ID: %.3d$X64
                                                        • API String ID: 481472006-1077770165
                                                        • Opcode ID: 83535d8b55aa1f39b3527ff7a8c4ee51921af669cab88701030e8fe04964530d
                                                        • Instruction ID: 9774f660eaf8705ba2bfad1d50ef7ae30a47422ffcf5ad9c7ccf54aa3eeb3eec
                                                        • Opcode Fuzzy Hash: 83535d8b55aa1f39b3527ff7a8c4ee51921af669cab88701030e8fe04964530d
                                                        • Instruction Fuzzy Hash: 91D01269C09109E9CF9497D0CC498BEBB7CFB18301F908853FC0691080E624D50CA771
                                                        Function 005D2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 005D236C
                                                        • PostMessageW.USER32(00000000), ref: 005D2373
                                                          • Part of subcall function 005AE97B: Sleep.KERNELBASE ref: 005AE9F3
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: FindMessagePostSleepWindow
                                                        • String ID: Shell_TrayWnd
                                                        • API String ID: 529655941-2988720461
                                                        • Opcode ID: c5d1d85c041f67d6f5786426a25494d9eba48ac161a360832ccef7be1878ad6d
                                                        • Instruction ID: c91cd9f241be8ceb78c99045e3e0aa0eb36e01b53dbcfd89bacba101d8f6821a
                                                        • Opcode Fuzzy Hash: c5d1d85c041f67d6f5786426a25494d9eba48ac161a360832ccef7be1878ad6d
                                                        • Instruction Fuzzy Hash: A3D0C9323C2311BAEA78A770EC0FFCB7A59AB55B10F0149177645AA1D0C9A0A805CA54
                                                        Function 005D2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 005D232C
                                                        • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 005D233F
                                                          • Part of subcall function 005AE97B: Sleep.KERNELBASE ref: 005AE9F3
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: FindMessagePostSleepWindow
                                                        • String ID: Shell_TrayWnd
                                                        • API String ID: 529655941-2988720461
                                                        • Opcode ID: b8fcb0ff27fad23a3e06c6860157d9effb63551abf9920bae199906481c16764
                                                        • Instruction ID: 3bfead5a3c7040dc7353a4d23a1d7204553a1dc3613d3f03cd4b4f97dcec1c1f
                                                        • Opcode Fuzzy Hash: b8fcb0ff27fad23a3e06c6860157d9effb63551abf9920bae199906481c16764
                                                        • Instruction Fuzzy Hash: 7DD0C936395311BAEA78A770EC0FFCB7E59AB51B10F0149177645AA1D0C9A0A805CA54
                                                        Function 0057BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0057BE93
                                                        • GetLastError.KERNEL32 ref: 0057BEA1
                                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0057BEFC
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2194593523.0000000000541000.00000020.00000001.01000000.00000003.sdmp, Offset: 00540000, based on PE: true
                                                        • Associated: 00000000.00000002.2194580454.0000000000540000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.00000000005DC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194643766.0000000000602000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194679818.000000000060C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.2194693343.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_540000_file.jbxd
                                                        Similarity
                                                        • API ID: ByteCharMultiWide$ErrorLast
                                                        • String ID:
                                                        • API String ID: 1717984340-0
                                                        • Opcode ID: af22c535aedb2fd40ea10ff4f4c29305a450f03227e47264a5276479f65cf153
                                                        • Instruction ID: 916d704a3b371734a5389113a289c18f3a829ef7c420a2c2cf05938c08844713
                                                        • Opcode Fuzzy Hash: af22c535aedb2fd40ea10ff4f4c29305a450f03227e47264a5276479f65cf153
                                                        • Instruction Fuzzy Hash: 3441D734601216AFEF218F65EC94BAA7FA9FF41710F14816AF95D972A1DB308D00EF51